fix(cognito): callback URLs are specified when OAuth is disabled for …

…user pool clients When the `UserPoolClient` property `disableOAuth` is set, callback URLs should not be rendered as it represents a list of allowed redirects for identity providers. Added in a condition that only renders the callback URL default of `https://example.com` if OAuth is enabled. Closes #10311
aws · Sep 29, 2020 · 7e1c015 · 7e1c015
1 parent 56ef837
commit 7e1c015
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 1 deletion.
diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts
@@ -320,7 +320,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
       explicitAuthFlows: this.configureAuthFlows(props),
       allowedOAuthFlows: props.disableOAuth ? undefined : this.configureOAuthFlows(),
       allowedOAuthScopes: props.disableOAuth ? undefined : this.configureOAuthScopes(props.oAuth),
-      callbackUrLs: callbackUrls && callbackUrls.length > 0 ? callbackUrls : undefined,
+      callbackUrLs: callbackUrls && callbackUrls.length > 0 && !props.disableOAuth ? callbackUrls : undefined,
       logoutUrLs: props.oAuth?.logoutUrls,
       allowedOAuthFlowsUserPoolClient: !props.disableOAuth,
       preventUserExistenceErrors: this.configurePreventUserExistenceErrors(props.preventUserExistenceErrors),

diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts
@@ -175,6 +175,30 @@ describe('User Pool Client', () => {
     });
   });
 
+  test('callbackUrls are not rendered if OAuth is disabled ', () => {
+    // GIVEN
+    const stack = new Stack();
+    const pool = new UserPool(stack, 'Pool');
+
+    // WHEN
+    new UserPoolClient(stack, 'PoolClient', {
+      userPool: pool,
+      disableOAuth: true,
+    });
+
+    // THEN
+    expect(stack).not.toHaveResourceLike('AWS::CognitoUserPoolClient', {
+      CallbackURLs: ['https://example.com'],
+    });
+
+    expect(stack).toHaveResource('AWS::Cognito::UserPoolClient', {
+      AllowedOAuthFlowsUserPoolClient: false,
+      SupportedIdentityProviders: [
+        'COGNITO',
+      ],
+    });
+  });
+
   test('fails when callbackUrls is empty for codeGrant or implicitGrant', () => {
     const stack = new Stack();
     const pool = new UserPool(stack, 'Pool');