aws-cdk-lib.aws_elasticloadbalancingv2_actions.AuthenticateCognitoActionProps

interface AuthenticateCognitoActionProps

LanguageType name
.NETAmazon.CDK.AWS.ElasticLoadBalancingV2.Actions.AuthenticateCognitoActionProps
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awselasticloadbalancingv2actions#AuthenticateCognitoActionProps
Javasoftware.amazon.awscdk.services.elasticloadbalancingv2.actions.AuthenticateCognitoActionProps
Pythonaws_cdk.aws_elasticloadbalancingv2_actions.AuthenticateCognitoActionProps
TypeScript (source)aws-cdk-lib » aws_elasticloadbalancingv2_actions » AuthenticateCognitoActionProps

Properties for AuthenticateCognitoAction.

Example

import { aws_certificatemanager as acm } from 'aws-cdk-lib';

declare const vpc: ec2.Vpc;
declare const certificate: acm.Certificate;

const lb = new elbv2.ApplicationLoadBalancer(this, 'LB', {
  vpc,
  internetFacing: true,
});

const userPool = new cognito.UserPool(this, 'UserPool');
const userPoolClient = new cognito.UserPoolClient(this, 'Client', {
  userPool,

  // Required minimal configuration for use with an ELB
  generateSecret: true,
  authFlows: {
    userPassword: true,
  },
  oAuth: {
    flows: {
      authorizationCodeGrant: true,
    },
    scopes: [cognito.OAuthScope.EMAIL],
    callbackUrls: [
      `https://${lb.loadBalancerDnsName}/oauth2/idpresponse`,
    ],
  },
});
const cfnClient = userPoolClient.node.defaultChild as cognito.CfnUserPoolClient;
cfnClient.addPropertyOverride('RefreshTokenValidity', 1);
cfnClient.addPropertyOverride('SupportedIdentityProviders', ['COGNITO']);

const userPoolDomain = new cognito.UserPoolDomain(this, 'Domain', {
  userPool,
  cognitoDomain: {
    domainPrefix: 'test-cdk-prefix',
  },
});

lb.addListener('Listener', {
  port: 443,
  certificates: [certificate],
  defaultAction: new actions.AuthenticateCognitoAction({
    userPool,
    userPoolClient,
    userPoolDomain,
    next: elbv2.ListenerAction.fixedResponse(200, {
      contentType: 'text/plain',
      messageBody: 'Authenticated',
    }),
  }),
});

new CfnOutput(this, 'DNS', {
  value: lb.loadBalancerDnsName,
});

Properties

NameTypeDescription
nextListenerActionWhat action to execute next.
userPoolIUserPoolThe Amazon Cognito user pool.
userPoolClientIUserPoolClientThe Amazon Cognito user pool client.
userPoolDomainIUserPoolDomainThe domain prefix or fully-qualified domain name of the Amazon Cognito user pool.
allowHttpsOutbound?booleanAllow HTTPS outbound traffic to communicate with the IdP.
authenticationRequestExtraParams?{ [string]: string }The query parameters (up to 10) to include in the redirect request to the authorization endpoint.
onUnauthenticatedRequest?UnauthenticatedActionThe behavior if the user is not authenticated.
scope?stringThe set of user claims to be requested from the IdP.
sessionCookieName?stringThe name of the cookie used to maintain session information.
sessionTimeout?DurationThe maximum duration of the authentication session.

next

Type: ListenerAction

What action to execute next.

Multiple actions form a linked chain; the chain must always terminate in a (weighted)forward, fixedResponse or redirect action.


userPool

Type: IUserPool

The Amazon Cognito user pool.


userPoolClient

Type: IUserPoolClient

The Amazon Cognito user pool client.


userPoolDomain

Type: IUserPoolDomain

The domain prefix or fully-qualified domain name of the Amazon Cognito user pool.


allowHttpsOutbound?

Type: boolean (optional, default: true)

Allow HTTPS outbound traffic to communicate with the IdP.

Set this property to false if the IP address used for the IdP endpoint is identifiable and you want to control outbound traffic. Then allow HTTPS outbound traffic to the IdP's IP address using the listener's connections property.

See also: https://repost.aws/knowledge-center/elb-configure-authentication-alb


authenticationRequestExtraParams?

Type: { [string]: string } (optional, default: No extra parameters)

The query parameters (up to 10) to include in the redirect request to the authorization endpoint.


onUnauthenticatedRequest?

Type: UnauthenticatedAction (optional, default: UnauthenticatedAction.AUTHENTICATE)

The behavior if the user is not authenticated.


scope?

Type: string (optional, default: "openid")

The set of user claims to be requested from the IdP.

To verify which scope values your IdP supports and how to separate multiple values, see the documentation for your IdP.


sessionCookieName?

Type: string (optional, default: "AWSELBAuthSessionCookie")

The name of the cookie used to maintain session information.


sessionTimeout?

Type: Duration (optional, default: Duration.days(7))

The maximum duration of the authentication session.