aws-cdk-lib.aws_cognito.OAuthScope

class OAuthScope

LanguageType name
.NETAmazon.CDK.AWS.Cognito.OAuthScope
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awscognito#OAuthScope
Javasoftware.amazon.awscdk.services.cognito.OAuthScope
Pythonaws_cdk.aws_cognito.OAuthScope
TypeScript (source)aws-cdk-lib » aws_cognito » OAuthScope

OAuth scopes that are allowed with this client.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

Example

const pool = new cognito.UserPool(this, 'Pool');

const readOnlyScope = new cognito.ResourceServerScope({ scopeName: 'read', scopeDescription: 'Read-only access' });
const fullAccessScope = new cognito.ResourceServerScope({ scopeName: '*', scopeDescription: 'Full access' });

const userServer = pool.addResourceServer('ResourceServer', {
  identifier: 'users',
  scopes: [ readOnlyScope, fullAccessScope ],
});

const readOnlyClient = pool.addClient('read-only-client', {
  // ...
  oAuth: {
    // ...
    scopes: [ cognito.OAuthScope.resourceServer(userServer, readOnlyScope) ],
  },
});

const fullAccessClient = pool.addClient('full-access-client', {
  // ...
  oAuth: {
    // ...
    scopes: [ cognito.OAuthScope.resourceServer(userServer, fullAccessScope) ],
  },
});

Properties

NameTypeDescription
scopeNamestringThe name of this scope as recognized by CloudFormation.
static COGNITO_ADMINOAuthScopeGrants access to Amazon Cognito User Pool API operations that require access tokens, such as UpdateUserAttributes and VerifyUserAttribute.
static EMAILOAuthScopeGrants access to the 'email' and 'email_verified' claims.
static OPENIDOAuthScopeReturns all user attributes in the ID token that are readable by the client.
static PHONEOAuthScopeGrants access to the 'phone_number' and 'phone_number_verified' claims.
static PROFILEOAuthScopeGrants access to all user attributes that are readable by the client Automatically includes access to OAuthScope.OPENID.

scopeName

Type: string

The name of this scope as recognized by CloudFormation.

See also: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes


static COGNITO_ADMIN

Type: OAuthScope

Grants access to Amazon Cognito User Pool API operations that require access tokens, such as UpdateUserAttributes and VerifyUserAttribute.


static EMAIL

Type: OAuthScope

Grants access to the 'email' and 'email_verified' claims.

Automatically includes access to OAuthScope.OPENID.


static OPENID

Type: OAuthScope

Returns all user attributes in the ID token that are readable by the client.


static PHONE

Type: OAuthScope

Grants access to the 'phone_number' and 'phone_number_verified' claims.

Automatically includes access to OAuthScope.OPENID.


static PROFILE

Type: OAuthScope

Grants access to all user attributes that are readable by the client Automatically includes access to OAuthScope.OPENID.

Methods

NameDescription
static custom(name)Custom scope is one that you define for your own resource server in the Resource Servers.
static resourceServer(server, scope)Adds a custom scope that's tied to a resource server in your stack.

static custom(name)

public static custom(name: string): OAuthScope

Parameters

  • name string

Returns

  • OAuthScope

Custom scope is one that you define for your own resource server in the Resource Servers.

The format is 'resource-server-identifier/scope'.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html


static resourceServer(server, scope)

public static resourceServer(server: IUserPoolResourceServer, scope: ResourceServerScope): OAuthScope

Parameters

  • server IUserPoolResourceServer
  • scope ResourceServerScope

Returns

  • OAuthScope

Adds a custom scope that's tied to a resource server in your stack.