❗ NOTICE (aws-apigateway): Authorization Scopes not rendered with CognitoUserPoolsAuthorizer

[t0bst4r]

Please add your +1 👍 to let us know you have encountered this

Status: IN-PROGRESS

Overview:

Describe the bug

When using the CognitoUserPoolsAuthorizer with authorizationScope, the scopes are not rendered to the CloudFormation template, if authorizationType is not set explicitly. This worked before version 2.142.0.

Expected Behavior

Scopes are rendered to the CloudFormation template when using CognitoUserPoolsAuthorizer without setting authorizationType explicitly. The authorizationType of the authorizer should be used implicitly.

Current Behavior

Scopes are not rendered to the CloudFormation template when using CognitoUserPoolsAuthorizer without setting authorizationType explicitly. They are only rendered, when authorizationType is set explicitly.

A warning is printed during CDK synth:

'AuthorizationScopes' can only be set when 'AuthorizationType' sets 'COGNITO_USER_POOLS'. Default to ignore the values set in 'AuthorizationScopes'.

Reproduction Steps

import { Stack } from "aws-cdk-lib";
import { UserPool } from "aws-cdk-lib/aws-cognito";
import { CognitoUserPoolsAuthorizer, RestApi } from "aws-cdk-lib/aws-apigateway";
import { Template } from "aws-cdk-lib/assertions";

const stack = new Stack(undefined, "Stack");
const userPool = UserPool.fromUserPoolId(stack, "UserPool", "userPoolId");
const authorizer = new CognitoUserPoolsAuthorizer(stack, "Authorizer", {
  cognitoUserPools: [userPool],
});
const restApi = new RestApi(stack, "RestApi", {
  deploy: true,
  defaultMethodOptions: {
    authorizer,
    // here we need to add the authorizationType to make it work
  },
});
restApi.root.resourceForPath("/user/profile").addMethod("GET", undefined, {
  authorizationScopes: [OAuthScope.PROFILE.scopeName], // this scope is missing
});
restApi.root.resourceForPath("/any/other").addMethod("POST");

console.log(Template.fromStack(stack).toJSON());

Workaround:

There are 2 workarounds:

• you can pin the aws-cdk-lib version to 2.141.0.
• You can update the RestApi definition as following

const restApi = new RestApi(stack, "RestApi", {
 deploy: true,
 defaultMethodOptions: {
   authorizer,
   // setting it explicit:
   authorizationType: authorizer.authorizationType, 
 },
});

Solution:

We are reverting this PR that introduces the breaking change.

[steamstreetjon]

Yeah, just upgraded to the latest CDK and all the scopes were blown away. This is pretty bad.

[t0bst4r]

You can do the following workaround until it’s fixed:

const restApi = new RestApi(stack, "RestApi", {
  deploy: true,
  defaultMethodOptions: {
    authorizer,
    // setting it explicit:
    authorizationType: authorizer.authorizationType, 
  },
});

[khushail]

Hey @t0bst4r , thanks for reporting this. could you please share the output of cdk diff when the scopes are not rendered and the CDK version which worked successfully ?

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[t0bst4r]

Yes, I’ll provide it tomorrow.

[t0bst4r]

I created a new AWS account, created a new CDK project using 2.141.0.
I have created the following stack:

import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
import {CognitoUserPoolsAuthorizer, MockIntegration, RestApi} from "aws-cdk-lib/aws-apigateway";
import {OAuthScope, UserPool} from "aws-cdk-lib/aws-cognito";

export class CdkTestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const userPool = new UserPool(this, "UserPool");

    const authorizer = new CognitoUserPoolsAuthorizer(this, "Authorizer", {
      cognitoUserPools: [userPool]
    });

    const restApi = new RestApi(this, 'CdkTestStack', {
      defaultMethodOptions: {
        authorizer,
        authorizationScopes: [OAuthScope.PROFILE.scopeName]
      }
    });

    restApi.root
        .resourceForPath("/user")
        .addMethod("GET", new MockIntegration());

    restApi.root
        .resourceForPath("/other")
        .addMethod("POST", new MockIntegration(), {
          authorizationScopes: [OAuthScope.OPENID.scopeName]
        });
  }
}

I bootstrapped the account and deployed the application:

➜  cdk-test git:(main) ✗ npx cdk bootstrap
 ⏳  Bootstrapping environment aws://xxxxxxxxxxxx/eu-central-1...
Trusted accounts for deployment: (none)
Trusted accounts for lookup: (none)
Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
CDKToolkit: creating CloudFormation changeset...
 ✅  Environment aws://xxxxxxxxxxxx/eu-central-1 bootstrapped.

➜  cdk-test git:(main) ✗ npx cdk deploy   

✨  Synthesis time: 2.25s

CdkTestStack:  start: Building 1f3bcbb7f34108d0ff41cec88e179d7b4899a1e72820bd04168af80bc4d977fb:xxxxxxxxxxxx-eu-central-1
CdkTestStack:  success: Built 1f3bcbb7f34108d0ff41cec88e179d7b4899a1e72820bd04168af80bc4d977fb:xxxxxxxxxxxx-eu-central-1
CdkTestStack:  start: Publishing 1f3bcbb7f34108d0ff41cec88e179d7b4899a1e72820bd04168af80bc4d977fb:xxxxxxxxxxxx-eu-central-1
CdkTestStack:  success: Published 1f3bcbb7f34108d0ff41cec88e179d7b4899a1e72820bd04168af80bc4d977fb:xxxxxxxxxxxx-eu-central-1
CdkTestStack: deploying... [1/1]
CdkTestStack: creating CloudFormation changeset...

 ✅  CdkTestStack

✨  Deployment time: 22.07s

Then I updated to 2.148.0, did not change anything in the cdk construct / stack. Run cdk diff:

➜  cdk-test git:(main) ✗ npx cdk diff
[Warning at /CdkTestStack/CdkTestStack/Default/user/GET] 'AuthorizationScopes' can only be set when 'AuthorizationType' sets 'COGNITO_USER_POOLS'. Default to ignore the values set in 'AuthorizationScopes'. [ack: @aws-cdk/aws-apigateway:invalidAuthScope]
[Warning at /CdkTestStack/CdkTestStack/Default/other/POST] 'AuthorizationScopes' can only be set when 'AuthorizationType' sets 'COGNITO_USER_POOLS'. Default to ignore the values set in 'AuthorizationScopes'. [ack: @aws-cdk/aws-apigateway:invalidAuthScope]
Stack CdkTestStack
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
Resources
[-] AWS::ApiGateway::Deployment CdkTestStack/Deployment CdkTestStackDeployment201712E9bdb85151af2e300bf835b803e5db9d23 destroy
[+] AWS::ApiGateway::Deployment CdkTestStack/Deployment CdkTestStackDeployment201712E9429aaeea94815003ee36140be839d0b7 
[~] AWS::ApiGateway::Stage CdkTestStack/DeploymentStage.prod CdkTestStackDeploymentStageprod296E6472 
 └─ [~] DeploymentId
     └─ [~] .Ref:
         ├─ [-] CdkTestStackDeployment201712E9bdb85151af2e300bf835b803e5db9d23
         └─ [+] CdkTestStackDeployment201712E9429aaeea94815003ee36140be839d0b7
[~] AWS::ApiGateway::Method CdkTestStack/Default/user/GET CdkTestStackuserGET1317379E 
 └─ [-] AuthorizationScopes
     └─ ["profile"]
[~] AWS::ApiGateway::Method CdkTestStack/Default/other/POST CdkTestStackotherPOST3BA23287 
 └─ [-] AuthorizationScopes
     └─ ["openid"]


✨  Number of stacks with differences: 1

Then I change the cdk code to include an EXPLICIT authorization type:

import * as cdk from 'aws-cdk-lib';
import {Construct} from 'constructs';
import {CognitoUserPoolsAuthorizer, MockIntegration, RestApi} from "aws-cdk-lib/aws-apigateway";
import {OAuthScope, UserPool} from "aws-cdk-lib/aws-cognito";

export class CdkTestStack extends cdk.Stack {
  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
    super(scope, id, props);

    const userPool = new UserPool(this, "UserPool");

    const authorizer = new CognitoUserPoolsAuthorizer(this, "Authorizer", {
      cognitoUserPools: [userPool]
    });

    const restApi = new RestApi(this, 'CdkTestStack', {
      defaultMethodOptions: {
        authorizer,
        authorizationScopes: [OAuthScope.PROFILE.scopeName],
        authorizationType: authorizer.authorizationType // <-- ONLY CHANGED LINE
      }
    });

    restApi.root
        .resourceForPath("/user")
        .addMethod("GET", new MockIntegration());

    restApi.root
        .resourceForPath("/other")
        .addMethod("POST", new MockIntegration(), {
          authorizationScopes: [OAuthScope.OPENID.scopeName]
        });

  }
}

Then running cdk diff:

➜  cdk-test git:(main) ✗ npx cdk diff
Stack CdkTestStack
Hold on while we create a read-only change set to get a diff with accurate replacement information (use --no-change-set to use a less accurate but faster template-only diff)
There were no differences

✨  Number of stacks with differences: 0

In my first post, I linked to the lines that are most likely the cause of this problem.

[khushail]

Thanks @t0bst4r for sharing the code and diff snippet. I can see the difference in the template generated in CDK 2.148.0.

Thanks for reporting this. Marking it as P1 as its a regression and should be fixed.

[GavinZZ]

Thanks for the report. I can confirm that this is a regression and we will treat it as p0. Created the revert PR to the original change that caused the regression and will do a patch release to get this fixed. Apologize for any inconvenience.

[moelasmar]

You can do the following workaround until it’s fixed:

As another workaround you can pin the aws-cdk-lib version to 2.141.0

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.