diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md index 283fd4d6584ea..bdb93fc24d566 100644 --- a/packages/@aws-cdk/aws-cognito/README.md +++ b/packages/@aws-cdk/aws-cognito/README.md @@ -618,6 +618,17 @@ pool.addClient('app-client', { }); ``` +[Token revocation](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html +) can be configured to be able to revoke refresh tokens in app clients. By default, token revocation is enabled for new user pools. The property can be used to enable the token revocation in existing app clients or to change the default behavior. + +```ts +const pool = new cognito.UserPool(this, 'Pool'); +pool.addClient('app-client', { + // ... + enableTokenRevocation: true, +}); +``` + ### Resource Servers A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts index d1f89f188c667..99ddaac75e595 100644 --- a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts +++ b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts @@ -293,6 +293,13 @@ export interface UserPoolClientOptions { * @default - all standard and custom attributes */ readonly writeAttributes?: ClientAttributes; + + /** + * Enable token revocation for this client. + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation + * @default true for new user pool clients + */ + readonly enableTokenRevocation?: boolean; } /** @@ -381,6 +388,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient { supportedIdentityProviders: this.configureIdentityProviders(props), readAttributes: props.readAttributes?.attributes(), writeAttributes: props.writeAttributes?.attributes(), + enableTokenRevocation: props.enableTokenRevocation, }); this.configureTokenValidity(resource, props); diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts index dc8dde7779bbc..d6fc81f28c43c 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts @@ -541,6 +541,53 @@ describe('User Pool Client', () => { })).toThrow(/disableOAuth is set/); }); + test('EnableTokenRevocation is absent by default', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + + // WHEN + pool.addClient('Client'); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { + EnableTokenRevocation: Match.absentProperty(), + }); + }); + + test('enableTokenRevocation in addClient', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + + // WHEN + pool.addClient('Client', { + enableTokenRevocation: true, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { + EnableTokenRevocation: true, + }); + }); + + test('enableTokenRevocation in UserPoolClient', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + + // WHEN + new UserPoolClient(stack, 'Client1', { + userPool: pool, + enableTokenRevocation: true, + }); + + // THEN + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { + EnableTokenRevocation: true, + }); + }); + describe('token validity', () => { test('default', () => { // GIVEN