-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-cognito: not providing the authFlows property creates default authFlows for user pool client #26680
Comments
You're right that the docs we have are inaccurate, since providing nothing to this prop at the Cfn level will create authFlows by default. Thanks for the report |
To me, this is just a documentation issue.
You should be able to achieve the behavior by passing
|
@lpizzinidev that is true, we could also make it transparent in the documentation that there are default values and leave this implementation. It depends on how we want the behaviour to be obviously. To me it feels clearer that nothing is created when nothing is specified. Currently, the moment you set any single auth flow to |
When `authFlows` is not defined `UserPoolClient` will support ALLOW_REFRESH_TOKEN_AUTH, ALLOW_USER_SRP_AUTH, and ALLOW_CUSTOM_AUTH. [Link](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-explicitauthflows) to CFN docs. Closes #26680. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Describe the bug
The documentation for the authFlows attribute of UserPoolClient says that the default behaviour is "all auth flows disabled", however this is not the case. If no
authFlows
attribute is provided, it defaults to ALLOW_REFRESH_TOKEN_AUTH , ALLOW_CUSTOM_AUTH and ALLOW_USER_SRP_AUTH.Expected Behavior
I expected there to be no AuthFlows activated for the client if I don't include the
authFlows
attribute.Current Behavior
My Client with no specified
authFlows
property gets these flows per default:ALLOW_REFRESH_TOKEN_AUTH , ALLOW_CUSTOM_AUTH and ALLOW_USER_SRP_AUTH.
Reproduction Steps
this creates a client with auth flows, even though
authFlows
was not provided.Possible Solution
In the below code, always pushing ALLOW_REFRESH_TOKEN_AUTH is a workaround so that CfnUserPoolClient always gets a value for
explicitAuthFlows
, otherwise it defaults to the values mentioned above. However, if the whole property is missing it returns undefined which creates the default flows.My suggestion (to at least limit the impact) is to push the ALLOW_REFRESH_TOKEN_AUTH if the property is missing, just like we do if any of the authFlows have been set.
An even cleaner solution would be to update the behavior of CfnUserPoolClient so it doesn't create anything per default, but I am not sure where that function resides or how possible that is.
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
Additional Information/Context
No response
CDK CLI Version
2.87.0
Framework Version
No response
Node.js Version
18
OS
OSX
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: