UserPoolClientOptions

class aws_cdk.aws_cognito.UserPoolClientOptions(*, access_token_validity=None, auth_flows=None, auth_session_validity=None, disable_o_auth=None, enable_propagate_additional_user_context_data=None, enable_token_revocation=None, generate_secret=None, id_token_validity=None, o_auth=None, prevent_user_existence_errors=None, read_attributes=None, refresh_token_validity=None, supported_identity_providers=None, user_pool_client_name=None, write_attributes=None)

Bases: object

Options to create a UserPoolClient.

Parameters:

  • access_token_validity (Optional[Duration]) – Validity of the access token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • auth_flows (Union[AuthFlow, Dict[str, Any], None]) – The set of OAuth authentication flows to enable on the client. Default: - If you don’t specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

  • auth_session_validity (Optional[Duration]) – Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. see defaults in AuthSessionValidity. Valid duration is from 3 to 15 minutes. Default: - Duration.minutes(3)

  • disable_o_auth (Optional[bool]) – Turns off all OAuth interactions for this client. Default: false

  • enable_propagate_additional_user_context_data (Optional[bool]) – Enable the propagation of additional user context data. You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret. Default: false for new user pool clients

  • enable_token_revocation (Optional[bool]) – Enable token revocation for this client. Default: true for new user pool clients

  • generate_secret (Optional[bool]) – Whether to generate a client secret. Default: false

  • id_token_validity (Optional[Duration]) – Validity of the ID token. Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity. Default: Duration.minutes(60)

  • o_auth (Union[OAuthSettings, Dict[str, Any], None]) – OAuth settings for this client to interact with the app. An error is thrown when this is specified and disableOAuth is set. Default: - see defaults in OAuthSettings. meaningless if disableOAuth is set.

  • prevent_user_existence_errors (Optional[bool]) – Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence. Default: false

  • read_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to read. Default: - all standard and custom attributes

  • refresh_token_validity (Optional[Duration]) – Validity of the refresh token. Values between 60 minutes and 10 years are valid. Default: Duration.days(30)

  • supported_identity_providers (Optional[Sequence[UserPoolClientIdentityProvider]]) – The list of identity providers that users should be able to use to sign in using this client. Default: - supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

  • user_pool_client_name (Optional[str]) – Name of the application client. Default: - cloudformation generated name

  • write_attributes (Optional[ClientAttributes]) – The set of attributes this client will be able to write. Default: - all standard and custom attributes

ExampleMetadata:

infused

Example:

pool = cognito.UserPool(self, "Pool")
pool.add_client("app-client",
    o_auth=cognito.OAuthSettings(
        flows=cognito.OAuthFlows(
            authorization_code_grant=True
        ),
        scopes=[cognito.OAuthScope.OPENID],
        callback_urls=["https://my-app-domain.com/welcome"],
        logout_urls=["https://my-app-domain.com/signin"]
    )
)

Attributes

access_token_validity

Validity of the access token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

Default:

Duration.minutes(60)

See:

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token

auth_flows

The set of OAuth authentication flows to enable on the client.

Default:

  • If you don’t specify a value, your user client supports ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH.

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html

auth_session_validity

Cognito creates a session token for each API request in an authentication flow.

AuthSessionValidity is the duration, in minutes, of that session token. see defaults in AuthSessionValidity. Valid duration is from 3 to 15 minutes.

Default:

  • Duration.minutes(3)

See:

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity

disable_o_auth

Turns off all OAuth interactions for this client.

Default:

false

enable_propagate_additional_user_context_data

Enable the propagation of additional user context data.

You can only activate enablePropagateAdditionalUserContextData in an app client that has a client secret.

Default:

false for new user pool clients

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-adaptive-authentication.html#user-pool-settings-adaptive-authentication-device-fingerprint

enable_token_revocation

Enable token revocation for this client.

Default:

true for new user pool clients

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation

generate_secret

Whether to generate a client secret.

Default:

false

id_token_validity

Validity of the ID token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

Default:

Duration.minutes(60)

See:

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token

o_auth

OAuth settings for this client to interact with the app.

An error is thrown when this is specified and disableOAuth is set.

Default:

  • see defaults in OAuthSettings. meaningless if disableOAuth is set.

prevent_user_existence_errors

Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn’t reveal the user’s absence.

Default:

false

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html

read_attributes

The set of attributes this client will be able to read.

Default:

  • all standard and custom attributes

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes

refresh_token_validity

Validity of the refresh token.

Values between 60 minutes and 10 years are valid.

Default:

Duration.days(30)

See:

https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token

supported_identity_providers

The list of identity providers that users should be able to use to sign in using this client.

Default:

  • supports all identity providers that are registered with the user pool. If the user pool and/or

identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.

user_pool_client_name

Name of the application client.

Default:

  • cloudformation generated name

write_attributes

The set of attributes this client will be able to write.

Default:

  • all standard and custom attributes

See:

https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes