interface AuthenticateCognitoActionProps
Language | Type name |
---|---|
![]() | Amazon.CDK.AWS.ElasticLoadBalancingV2.Actions.AuthenticateCognitoActionProps |
![]() | github.com/aws/aws-cdk-go/awscdk/v2/awselasticloadbalancingv2actions#AuthenticateCognitoActionProps |
![]() | software.amazon.awscdk.services.elasticloadbalancingv2.actions.AuthenticateCognitoActionProps |
![]() | aws_cdk.aws_elasticloadbalancingv2_actions.AuthenticateCognitoActionProps |
![]() | aws-cdk-lib » aws_elasticloadbalancingv2_actions » AuthenticateCognitoActionProps |
Properties for AuthenticateCognitoAction.
Example
import { aws_certificatemanager as acm } from 'aws-cdk-lib';
declare const vpc: ec2.Vpc;
declare const certificate: acm.Certificate;
const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
vpc,
internetFacing: true,
});
const userPool = new cognito.UserPool(this, 'UserPool');
const userPoolClient = new cognito.UserPoolClient(this, 'Client', {
userPool,
// Required minimal configuration for use with an ELB
generateSecret: true,
authFlows: {
userPassword: true,
},
oAuth: {
flows: {
authorizationCodeGrant: true,
},
scopes: [cognito.OAuthScope.EMAIL],
callbackUrls: [
`https://${lb.loadBalancerDnsName}/oauth2/idpresponse`,
],
},
});
const cfnClient = userPoolClient.node.defaultChild as cognito.CfnUserPoolClient;
cfnClient.addPropertyOverride('RefreshTokenValidity', 1);
cfnClient.addPropertyOverride('SupportedIdentityProviders', ['COGNITO']);
const userPoolDomain = new cognito.UserPoolDomain(this, 'Domain', {
userPool,
cognitoDomain: {
domainPrefix: 'test-cdk-prefix',
},
});
lb.addListener('Listener', {
port: 443,
certificates: [certificate],
defaultAction: new actions.AuthenticateCognitoAction({
userPool,
userPoolClient,
userPoolDomain,
next: elbv2.ListenerAction.fixedResponse(200, {
contentType: 'text/plain',
messageBody: 'Authenticated',
}),
}),
});
new CfnOutput(this, 'DNS', {
value: lb.loadBalancerDnsName,
});
Properties
Name | Type | Description |
---|---|---|
next | Listener | What action to execute next. |
user | IUser | The Amazon Cognito user pool. |
user | IUser | The Amazon Cognito user pool client. |
user | IUser | The domain prefix or fully-qualified domain name of the Amazon Cognito user pool. |
allow | boolean | Allow HTTPS outbound traffic to communicate with the IdP. |
authentication | { [string]: string } | The query parameters (up to 10) to include in the redirect request to the authorization endpoint. |
on | Unauthenticated | The behavior if the user is not authenticated. |
scope? | string | The set of user claims to be requested from the IdP. |
session | string | The name of the cookie used to maintain session information. |
session | Duration | The maximum duration of the authentication session. |
next
Type:
Listener
What action to execute next.
Multiple actions form a linked chain; the chain must always terminate in a (weighted)forward, fixedResponse or redirect action.
userPool
Type:
IUser
The Amazon Cognito user pool.
userPoolClient
Type:
IUser
The Amazon Cognito user pool client.
userPoolDomain
Type:
IUser
The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
allowHttpsOutbound?
Type:
boolean
(optional, default: true)
Allow HTTPS outbound traffic to communicate with the IdP.
Set this property to false if the IP address used for the IdP endpoint is identifiable
and you want to control outbound traffic.
Then allow HTTPS outbound traffic to the IdP's IP address using the listener's connections
property.
See also: https://repost.aws/knowledge-center/elb-configure-authentication-alb
authenticationRequestExtraParams?
Type:
{ [string]: string }
(optional, default: No extra parameters)
The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
onUnauthenticatedRequest?
Type:
Unauthenticated
(optional, default: UnauthenticatedAction.AUTHENTICATE)
The behavior if the user is not authenticated.
scope?
Type:
string
(optional, default: "openid")
The set of user claims to be requested from the IdP.
To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.
sessionCookieName?
Type:
string
(optional, default: "AWSELBAuthSessionCookie")
The name of the cookie used to maintain session information.
sessionTimeout?
Type:
Duration
(optional, default: Duration.days(7))
The maximum duration of the authentication session.