UserPoolClient

class aws_cdk.aws_cognito.UserPoolClient(scope, id, *, user_pool, access_token_validity=None, auth_flows=None, auth_session_validity=None, disable_o_auth=None, enable_propagate_additional_user_context_data=None, enable_token_revocation=None, generate_secret=None, id_token_validity=None, o_auth=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_client_name=None, write_attributes=None)

Bases: Resource

Define a UserPool App Client.

ExampleMetadata:

infused

Example:

pool = cognito.UserPool(self, "Pool")
provider = cognito.UserPoolIdentityProviderAmazon(self, "Amazon",
    user_pool=pool,
    client_id="amzn-client-id",
    client_secret="amzn-client-secret"
)

client = pool.add_client("app-client",
    # ...
    supported_identity_providers=[cognito.UserPoolClientIdentityProvider.AMAZON
    ]
)

client.node.add_dependency(provider)
Parameters:
  • scope (Construct) –

  • id (str) –

  • user_pool (IUserPool) – The UserPool resource this client will have access to.

  • access_token_validity (Optional[Duration]) – Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • auth_flows (Union[AuthFlow, Dict[str, Any], None]) – The set of OAuth authentication flows to enable on the client. Default: - If you don’t specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

  • auth_session_validity (Optional[Duration]) – Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in AuthSessionValidity. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)

  • disable_o_auth (Optional[bool]) – Turns off all OAuth interactions for this client. Default: false

  • enable_propagate_additional_user_context_data (Optional[bool]) – Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients

  • enable_token_revocation (Optional[bool]) – Enable token revocation for this client. Default: true for new user pool clients

  • generate_secret (Optional[bool]) – Whether to generate a client secret. Default: false

  • id_token_validity (Optional[Duration]) – Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • o_auth (Union[OAuthSettings, Dict[str, Any], None]) – OAuth settings for this client to interact with the app. An error is thrown when this is specified and disableOAuth is set. Default: - see defaults in OAuthSettings. meaningless if disableOAuth is set.

  • prevent_user_existence_errors (Optional[bool]) – Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence. Default: false

  • read_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to read. Default: - all standard and custom attributes

  • refresh_token_validity (Optional[Duration]) – Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)

  • supported_identity_providers (Optional[Sequence[UserPoolClientIdentityProvider]]) – The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

  • user_pool_client_name (Optional[str]) – Name of the application client. Default: - cloudformation generated name

  • write_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to write. Default: - all standard and custom attributes

Methods

apply_removal_policy(policy)

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you’ve removed it from the CDK application or because you’ve made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).

Parameters:

policy (RemovalPolicy) –

Return type:

None

to_string()

Returns a string representation of this construct.

Return type:

str

Attributes

env

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.

node

The tree node.

o_auth_flows

The OAuth flows enabled for this client.

stack

The stack in which this resource is defined.

user_pool_client_id

Name of the application client.

user_pool_client_name

The client name that was specified via the userPoolClientName property during initialization, throws an error otherwise.

user_pool_client_secret

The generated client secret.

Only available if the “generateSecret” props is set to true

Static Methods

classmethod from_user_pool_client_id(scope, id, user_pool_client_id)

Import a user pool client given its id.

Parameters:
  • scope (Construct) –

  • id (str) –

  • user_pool_client_id (str) –

Return type:

IUserPoolClient

classmethod is_construct(x)

Checks if x is a construct.

Use this method instead of instanceof to properly detect Construct instances, even when the construct library is symlinked.

Explanation: in JavaScript, multiple copies of the constructs library on disk are seen as independent, completely different libraries. As a consequence, the class Construct in each copy of the constructs library is seen as a different class, and an instance of one class will not test as instanceof the other class. npm install will not create installations like this, but users may manually symlink construct libraries together or use a monorepo tool: in those cases, multiple copies of the constructs library can be accidentally installed, and instanceof will behave unpredictably. It is safest to avoid using instanceof, and using this type-testing method instead.

Parameters:

x (Any) – Any object.

Return type:

bool

Returns:

true if x is an object created from a class which extends Construct.

classmethod is_owned_resource(construct)

Returns true if the construct was created by CDK, and false otherwise.

Parameters:

construct (IConstruct) –

Return type:

bool

classmethod is_resource(construct)

Check whether the given construct is a Resource.

Parameters:

construct (IConstruct) –

Return type:

bool