[aws-cognito] Add abilitity to add Resource Servers for User Pool #10676

AlexZeitler · 2020-10-03T22:35:43Z

I tried to create a User Pool with OAuth client credential flow enabled and I tried to add custom scopes for that client.

Looks like this is not possible right now (#6765).

Use Case

I tried this using CDK 1.66.0:

import { OAuthScope, UserPool } from "@aws-cdk/aws-cognito";
import * as cdk from "@aws-cdk/core";

export class IdpStack extends cdk.Stack {
  constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const pool = new UserPool(this, "dev-userpool", {
      userPoolName: "dev-userpool",
    });

    const client = pool.addClient("console-client", {
      generateSecret: true,
      oAuth: {
        flows: {
          clientCredentials: true,
        },
        scopes: [OAuthScope.custom('get-todos')],
      },
    });

    pool.addDomain("CognitoDomain", {
      cognitoDomain: {
        domainPrefix: "dev-userpool",
      },
    });
  }
}

cdk deploy results in:

The stack IdpStack already includes a CDKMetadata resource
IdpStack: deploying...
IdpStack: creating CloudFormation changeset...
[██████████████████████████████████▊·······················] (3/5)

12:29:32 AM | CREATE_FAILED        | AWS::Cognito::UserPoolClient | dev-userpool/console-client
Invalid scope requested: get-todos (Service: AWSCognitoIdentityProviderService; Status Code: 400; Error Code: ScopeDoesNotExistException; Request ID: b88b
977b-6413-4c06-ae4d-e364ddcddc87; Proxy: null)
12:29:34 AM | ROLLBACK_IN_PROGRESS | AWS::CloudFormation::Stack   | IdpStack
The following resource(s) failed to create: [devuserpoolconsoleclientC6307D10, devuserpoolCognitoDomainAAD9811C]. . Rollback requested by user.

Proposed Solution

I would like to be able to add a resource server with custom scopes like this:

pool.addResourceServer("dev-resource-server", {
    resourceServerName: "dev-resource-server",
    identifier: "https://dev-resource-server",
    scopes: [OAuthScope.custom('get-todos')]
})

Other

👋 I may be able to implement this feature request
⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request

The text was updated successfully, but these errors were encountered:

AlexZeitler · 2020-10-05T00:41:30Z

In case somebody needs a workaround: https://alexanderzeitler.com/articles/create-aws-cognito-userpool-with-oauth-flows-using-cdk/

AlexZeitler · 2020-10-06T21:50:53Z

TIL there's an easier out-of-the-box solution:

new CfnUserPoolResourceServer(this, "dev-userpool-resource-server", {
      identifier: "https://resource-server/",
      name: "dev-userpool-resource-server",
      userPoolId: pool.userPoolId,
      scopes: [
        {
          scopeDescription: "Get todo items",
          scopeName: "get-todos",
        },
      ],
    });

github-actions · 2020-10-06T21:51:18Z

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

AlexZeitler added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Oct 3, 2020

github-actions bot assigned nija-at Oct 3, 2020

github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Oct 3, 2020

AlexZeitler closed this as completed Oct 6, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[aws-cognito] Add abilitity to add Resource Servers for User Pool #10676

[aws-cognito] Add abilitity to add Resource Servers for User Pool #10676

AlexZeitler commented Oct 3, 2020

AlexZeitler commented Oct 5, 2020

AlexZeitler commented Oct 6, 2020

github-actions bot commented Oct 6, 2020