OAuthSettings

class aws_cdk.aws_cognito.OAuthSettings(*, callback_urls=None, default_redirect_uri=None, flows=None, logout_urls=None, scopes=None)

Bases: object

OAuth settings to configure the interaction between the app and this client.

Parameters:

callback_urls (Optional[Sequence[str]]) – List of allowed redirect URLs for the identity providers. Default: - [’https://example.com’] if either authorizationCodeGrant or implicitCodeGrant flows are enabled, no callback URLs otherwise.
default_redirect_uri (Optional[str]) – The default redirect URI. Must be in the callbackUrls list. A redirect URI must: - Be an absolute URI - Be registered with the authorization server. - Not include a fragment component. Default: - no default redirect URI
flows (Union[OAuthFlows, Dict[str, Any], None]) – OAuth flows that are allowed with this client. Default: {authorizationCodeGrant:true,implicitCodeGrant:true}
logout_urls (Optional[Sequence[str]]) – List of allowed logout URLs for the identity providers. Default: - no logout URLs
scopes (Optional[Sequence[OAuthScope]]) – OAuth scopes that are allowed with this client. Default: [OAuthScope.PHONE,OAuthScope.EMAIL,OAuthScope.OPENID,OAuthScope.PROFILE,OAuthScope.COGNITO_ADMIN]

ExampleMetadata:

infused

Example:

pool = cognito.UserPool(self, "Pool")

read_only_scope = cognito.ResourceServerScope(scope_name="read", scope_description="Read-only access")
full_access_scope = cognito.ResourceServerScope(scope_name="*", scope_description="Full access")

user_server = pool.add_resource_server("ResourceServer",
    identifier="users",
    scopes=[read_only_scope, full_access_scope]
)

read_only_client = pool.add_client("read-only-client",
    # ...
    o_auth=cognito.OAuthSettings(
        # ...
        scopes=[cognito.OAuthScope.resource_server(user_server, read_only_scope)]
    )
)

full_access_client = pool.add_client("full-access-client",
    # ...
    o_auth=cognito.OAuthSettings(
        # ...
        scopes=[cognito.OAuthScope.resource_server(user_server, full_access_scope)]
    )
)

Attributes

callback_urls

List of allowed redirect URLs for the identity providers.

Default:

[’https://example.com’] if either authorizationCodeGrant or implicitCodeGrant flows are enabled, no callback URLs otherwise.

default_redirect_uri

The default redirect URI. Must be in the callbackUrls list.

A redirect URI must:

Be an absolute URI
Be registered with the authorization server.
Not include a fragment component.

Default:

no default redirect URI

See:

https://tools.ietf.org/html/rfc6749#section-3.1.2

Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.

App callback URLs such as myapp://example are also supported.

flows

OAuth flows that are allowed with this client.

Default:

{authorizationCodeGrant:true,implicitCodeGrant:true}

See:

the ‘Allowed OAuth Flows’ section at https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

logout_urls

List of allowed logout URLs for the identity providers.

Default:

no logout URLs

scopes

OAuth scopes that are allowed with this client.

Default:: [OAuthScope.PHONE,OAuthScope.EMAIL,OAuthScope.OPENID,OAuthScope.PROFILE,OAuthScope.COGNITO_ADMIN]
See:: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html