feat(cognito): support for ALLOW_USER_AUTH explicit auth flow (#32273)

### Reason for this change Cognito [released some new auth flow features](https://aws.amazon.com/blogs/aws/improve-your-app-authentication-workflow-with-new-amazon-cognito-features/) which have [made their way into cloudformation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-explicitauthflows). I want to be able to use the new `USER_AUTH` sign in on a `UserPoolClient`. ### Description of changes I've added a `user` option to the `AuthFlow` struct for `UserPoolClient`. This naming matches the naming convention for the other settings in `AuthFlow` so while `user` is a very generic label, I think it makes sense in the context of this `AuthFlow` struct. i.e. the current properties are: ``` adminUserPassword -> ADMIN_USER_PASSWORD_AUTH custom -> CUSTOM_AUTH userPassword -> USER_PASSWORD_AUTH userSrp -> USER_SRP_AUTH ``` This property then sets the `"ALLOW_USER_AUTH"` value in the `ExplicitAuthFlows` of the `UserPoolClient`. ### Description of how you validated changes I added the setting to both the unit and integration tests which have all auth types enabled. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* Co-authored-by: GZ <[email protected]> Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
aws · Dec 4, 2024 · c5bcfdc · c5bcfdc
1 parent 935c06f
commit c5bcfdc
Show file tree

Hide file tree

Showing 6 changed files with 16 additions and 0 deletions.
diff --git a/...ool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json b/...ool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json
@@ -66,6 +66,7 @@
      "ALLOW_ADMIN_USER_PASSWORD_AUTH",
      "ALLOW_CUSTOM_AUTH",
      "ALLOW_USER_SRP_AUTH",
+     "ALLOW_USER_AUTH",
      "ALLOW_REFRESH_TOKEN_AUTH"
     ],
     "GenerateSecret": true,

diff --git a/...k-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json b/...k-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json
diff --git a/...dk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.ts b/...dk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.ts
@@ -20,6 +20,7 @@ const client = userpool.addClient('myuserpoolclient', {
     custom: true,
     userPassword: true,
     userSrp: true,
+    user: true,
   },
   generateSecret: true,
   oAuth: {

diff --git a/packages/aws-cdk-lib/aws-cognito/README.md b/packages/aws-cdk-lib/aws-cognito/README.md
@@ -699,6 +699,9 @@ Custom authentication protocols can be configured by setting the `custom` proper
 functions for the corresponding user pool [triggers](#lambda-triggers). Learn more at [Custom Authentication
 Flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-custom-authentication-flow).
 
+Choice-based authentication can be configured by setting the `user` property under `authFlow`. This enables the
+`USER_AUTH` authentication flow. Learn more at [Choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice).
+
 In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for
 authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more
 about the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749) and [Cognito user pool's

diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
@@ -34,6 +34,12 @@ export interface AuthFlow {
    * @default false
    */
   readonly userSrp?: boolean;
+
+  /**
+   * Enable Choice-based authentication
+   * @default false
+   */
+  readonly user?: boolean;
 }
 
 /**
@@ -525,6 +531,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
     if (props.authFlows.adminUserPassword) { authFlows.push('ALLOW_ADMIN_USER_PASSWORD_AUTH'); }
     if (props.authFlows.custom) { authFlows.push('ALLOW_CUSTOM_AUTH'); }
     if (props.authFlows.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); }
+    if (props.authFlows.user) { authFlows.push('ALLOW_USER_AUTH'); }
 
     // refreshToken should always be allowed if authFlows are present
     authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');

diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-client.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-client.test.ts
@@ -255,6 +255,7 @@ describe('User Pool Client', () => {
         custom: true,
         userPassword: true,
         userSrp: true,
+        user: true,
       },
     });
 
@@ -264,6 +265,7 @@ describe('User Pool Client', () => {
         'ALLOW_ADMIN_USER_PASSWORD_AUTH',
         'ALLOW_CUSTOM_AUTH',
         'ALLOW_USER_SRP_AUTH',
+        'ALLOW_USER_AUTH',
         'ALLOW_REFRESH_TOKEN_AUTH',
       ],
     });
@@ -281,6 +283,7 @@ describe('User Pool Client', () => {
         custom: false,
         userPassword: false,
         userSrp: false,
+        user: false,
       },
     });