aws-cdk-lib.aws_cognito.UserPoolClient

class UserPoolClient (construct)

LanguageType name
.NETAmazon.CDK.AWS.Cognito.UserPoolClient
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awscognito#UserPoolClient
Javasoftware.amazon.awscdk.services.cognito.UserPoolClient
Pythonaws_cdk.aws_cognito.UserPoolClient
TypeScript (source)aws-cdk-lib » aws_cognito » UserPoolClient

Implements IConstruct, IDependable, IResource, IUserPoolClient

Define a UserPool App Client.

Example

const pool = new cognito.UserPool(this, 'Pool');
const provider = new cognito.UserPoolIdentityProviderAmazon(this, 'Amazon', {
  userPool: pool,
  clientId: 'amzn-client-id',
  clientSecret: 'amzn-client-secret',
});

const client = pool.addClient('app-client', {
  // ...
  supportedIdentityProviders: [
    cognito.UserPoolClientIdentityProvider.AMAZON,
  ],
});

client.node.addDependency(provider);

Initializer

new UserPoolClient(scope: Construct, id: string, props: UserPoolClientProps)

Parameters

  • scope Construct
  • id string
  • props UserPoolClientProps

Construct Props

NameTypeDescription
userPoolIUserPoolThe UserPool resource this client will have access to.
accessTokenValidity?DurationValidity of the access token.
authFlows?AuthFlowThe set of OAuth authentication flows to enable on the client.
authSessionValidity?DurationCognito creates a session token for each API request in an authentication flow.
disableOAuth?booleanTurns off all OAuth interactions for this client.
enableTokenRevocation?booleanEnable token revocation for this client.
generateSecret?booleanWhether to generate a client secret.
idTokenValidity?DurationValidity of the ID token.
oAuth?OAuthSettingsOAuth settings for this client to interact with the app.
preventUserExistenceErrors?booleanWhether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.
readAttributes?ClientAttributesThe set of attributes this client will be able to read.
refreshTokenValidity?DurationValidity of the refresh token.
supportedIdentityProviders?UserPoolClientIdentityProvider[]The list of identity providers that users should be able to use to sign in using this client.
userPoolClientName?stringName of the application client.
writeAttributes?ClientAttributesThe set of attributes this client will be able to write.

userPool

Type: IUserPool

The UserPool resource this client will have access to.


accessTokenValidity?

Type: Duration (optional, default: Duration.minutes(60))

Validity of the access token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

See also: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token


authFlows?

Type: AuthFlow (optional, default: all auth flows disabled)

The set of OAuth authentication flows to enable on the client.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html


authSessionValidity?

Type: Duration (optional, default: Duration.minutes(3))

Cognito creates a session token for each API request in an authentication flow.

AuthSessionValidity is the duration, in minutes, of that session token. see defaults in AuthSessionValidity. Valid duration is from 3 to 15 minutes.

See also: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity


disableOAuth?

Type: boolean (optional, default: false)

Turns off all OAuth interactions for this client.


enableTokenRevocation?

Type: boolean (optional, default: true for new user pool clients)

Enable token revocation for this client.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation


generateSecret?

Type: boolean (optional, default: false)

Whether to generate a client secret.


idTokenValidity?

Type: Duration (optional, default: Duration.minutes(60))

Validity of the ID token.

Values between 5 minutes and 1 day are valid. The duration can not be longer than the refresh token validity.

See also: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-id-token


oAuth?

Type: OAuthSettings (optional, default: see defaults in OAuthSettings. meaningless if disableOAuth is set.)

OAuth settings for this client to interact with the app.

An error is thrown when this is specified and disableOAuth is set.


preventUserExistenceErrors?

Type: boolean (optional, default: false)

Whether Cognito returns a UserNotFoundException exception when the user does not exist in the user pool (false), or whether it returns another type of error that doesn't reveal the user's absence.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-managing-errors.html


readAttributes?

Type: ClientAttributes (optional, default: all standard and custom attributes)

The set of attributes this client will be able to read.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes


refreshTokenValidity?

Type: Duration (optional, default: Duration.days(30))

Validity of the refresh token.

Values between 60 minutes and 10 years are valid.

See also: https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-refresh-token


supportedIdentityProviders?

Type: UserPoolClientIdentityProvider[] (optional, default: supports all identity providers that are registered with the user pool. If the user pool and/or identity providers are imported, either specify this option explicitly or ensure that the identity providers are registered with the user pool using the UserPool.registerIdentityProvider() API.)

The list of identity providers that users should be able to use to sign in using this client.


userPoolClientName?

Type: string (optional, default: cloudformation generated name)

Name of the application client.


writeAttributes?

Type: ClientAttributes (optional, default: all standard and custom attributes)

The set of attributes this client will be able to write.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html#user-pool-settings-attribute-permissions-and-scopes

Properties

NameTypeDescription
envResourceEnvironmentThe environment this resource belongs to.
nodeNodeThe tree node.
oAuthFlowsOAuthFlowsThe OAuth flows enabled for this client.
stackStackThe stack in which this resource is defined.
userPoolClientIdstringName of the application client.
userPoolClientNamestringThe client name that was specified via the userPoolClientName property during initialization, throws an error otherwise.
userPoolClientSecretSecretValueThe generated client secret.

env

Type: ResourceEnvironment

The environment this resource belongs to.

For resources that are created and managed by the CDK (generally, those created by creating new class instances like Role, Bucket, etc.), this is always the same as the environment of the stack they belong to; however, for imported resources (those obtained from static methods like fromRoleArn, fromBucketName, etc.), that might be different than the stack they were imported into.


node

Type: Node

The tree node.


oAuthFlows

Type: OAuthFlows

The OAuth flows enabled for this client.


stack

Type: Stack

The stack in which this resource is defined.


userPoolClientId

Type: string

Name of the application client.


userPoolClientName

Type: string

The client name that was specified via the userPoolClientName property during initialization, throws an error otherwise.


userPoolClientSecret

Type: SecretValue

The generated client secret.

Only available if the "generateSecret" props is set to true

Methods

NameDescription
applyRemovalPolicy(policy)Apply the given removal policy to this resource.
toString()Returns a string representation of this construct.
static fromUserPoolClientId(scope, id, userPoolClientId)Import a user pool client given its id.

applyRemovalPolicy(policy)

public applyRemovalPolicy(policy: RemovalPolicy): void

Parameters

  • policy RemovalPolicy

Apply the given removal policy to this resource.

The Removal Policy controls what happens to this resource when it stops being managed by CloudFormation, either because you've removed it from the CDK application or because you've made a change that requires the resource to be replaced.

The resource can be deleted (RemovalPolicy.DESTROY), or left in your AWS account for data recovery and cleanup later (RemovalPolicy.RETAIN).


toString()

public toString(): string

Returns

  • string

Returns a string representation of this construct.


static fromUserPoolClientId(scope, id, userPoolClientId)

public static fromUserPoolClientId(scope: Construct, id: string, userPoolClientId: string): IUserPoolClient

Parameters

  • scope Construct
  • id string
  • userPoolClientId string

Returns

  • IUserPoolClient

Import a user pool client given its id.