interface AuthenticateCognitoActionProps

Language	Type name
.NET	`Amazon.CDK.AWS.ElasticLoadBalancingV2.Actions.AuthenticateCognitoActionProps`
Go	`github.com/aws/aws-cdk-go/awscdk/v2/awselasticloadbalancingv2actions#AuthenticateCognitoActionProps`
Java	`software.amazon.awscdk.services.elasticloadbalancingv2.actions.AuthenticateCognitoActionProps`
Python	`aws_cdk.aws_elasticloadbalancingv2_actions.AuthenticateCognitoActionProps`
TypeScript (source)	`aws-cdk-lib` » `aws_elasticloadbalancingv2_actions` » `AuthenticateCognitoActionProps`

Properties for AuthenticateCognitoAction.

Example

import { aws_certificatemanager as acm } from 'aws-cdk-lib';

declare const vpc: ec2.Vpc;
declare const certificate: acm.Certificate;

const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
  vpc,
  internetFacing: true,
});

const userPool = new cognito.UserPool(this, 'UserPool');
const userPoolClient = new cognito.UserPoolClient(this, 'Client', {
  userPool,

  // Required minimal configuration for use with an ELB
  generateSecret: true,
  authFlows: {
    userPassword: true,
  },
  oAuth: {
    flows: {
      authorizationCodeGrant: true,
    },
    scopes: [cognito.OAuthScope.EMAIL],
    callbackUrls: [
      `https://${lb.loadBalancerDnsName}/oauth2/idpresponse`,
    ],
  },
});
const cfnClient = userPoolClient.node.defaultChild as cognito.CfnUserPoolClient;
cfnClient.addPropertyOverride('RefreshTokenValidity', 1);
cfnClient.addPropertyOverride('SupportedIdentityProviders', ['COGNITO']);

const userPoolDomain = new cognito.UserPoolDomain(this, 'Domain', {
  userPool,
  cognitoDomain: {
    domainPrefix: 'test-cdk-prefix',
  },
});

lb.addListener('Listener', {
  port: 443,
  certificates: [certificate],
  defaultAction: new actions.AuthenticateCognitoAction({
    userPool,
    userPoolClient,
    userPoolDomain,
    next: elbv2.ListenerAction.fixedResponse(200, {
      contentType: 'text/plain',
      messageBody: 'Authenticated',
    }),
  }),
});

new CfnOutput(this, 'DNS', {
  value: lb.loadBalancerDnsName,
});

Properties

Name	Type	Description
next	`ListenerAction`	What action to execute next.
userPool	`IUserPool`	The Amazon Cognito user pool.
userPoolClient	`IUserPoolClient`	The Amazon Cognito user pool client.
userPoolDomain	`IUserPoolDomain`	The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
allowHttpsOutbound?	`boolean`	Allow HTTPS outbound traffic to communicate with the IdP.
authenticationRequestExtraParams?	`{ [string]: string }`	The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
onUnauthenticatedRequest?	`UnauthenticatedAction`	The behavior if the user is not authenticated.
scope?	`string`	The set of user claims to be requested from the IdP.
sessionCookieName?	`string`	The name of the cookie used to maintain session information.
sessionTimeout?	`Duration`	The maximum duration of the authentication session.

Type: ListenerAction

What action to execute next.

Multiple actions form a linked chain; the chain must always terminate in a (weighted)forward, fixedResponse or redirect action.

userPool

Type: IUserPool

The Amazon Cognito user pool.

userPoolClient

Type: IUserPoolClient

The Amazon Cognito user pool client.

userPoolDomain

Type: IUserPoolDomain

The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.

allowHttpsOutbound?

Type: boolean (optional, default: true)

Allow HTTPS outbound traffic to communicate with the IdP.

Set this property to false if the IP address used for the IdP endpoint is identifiable and you want to control outbound traffic. Then allow HTTPS outbound traffic to the IdP's IP address using the listener's connections property.

authenticationRequestExtraParams?

Type: { [string]: string } (optional, default: No extra parameters)

The query parameters (up to 10) to include in the redirect request to the authorization endpoint.

onUnauthenticatedRequest?

Type: UnauthenticatedAction (optional, default: UnauthenticatedAction.AUTHENTICATE)

The behavior if the user is not authenticated.

scope?

Type: string (optional, default: "openid")

The set of user claims to be requested from the IdP.

To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.

sessionCookieName?

Type: string (optional, default: "AWSELBAuthSessionCookie")

The name of the cookie used to maintain session information.

sessionTimeout?

Type: Duration (optional, default: Duration.days(7))

The maximum duration of the authentication session.