From 0aa50a57a96897f8e43d2c01263f79d5541ba4df Mon Sep 17 00:00:00 2001 From: Julian Michel Date: Fri, 25 Jun 2021 18:14:16 +0000 Subject: [PATCH 1/5] feat(cognito): add support for token revocation in UserPoolClient --- .../aws-cognito/lib/user-pool-client.ts | 8 +++++ .../aws-cognito/test/user-pool-client.test.ts | 30 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts index d1f89f188c667..99ddaac75e595 100644 --- a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts +++ b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts @@ -293,6 +293,13 @@ export interface UserPoolClientOptions { * @default - all standard and custom attributes */ readonly writeAttributes?: ClientAttributes; + + /** + * Enable token revocation for this client. + * @see https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation + * @default true for new user pool clients + */ + readonly enableTokenRevocation?: boolean; } /** @@ -381,6 +388,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient { supportedIdentityProviders: this.configureIdentityProviders(props), readAttributes: props.readAttributes?.attributes(), writeAttributes: props.writeAttributes?.attributes(), + enableTokenRevocation: props.enableTokenRevocation, }); this.configureTokenValidity(resource, props); diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts index 22055828bebe5..80f7f5fe86829 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts @@ -542,6 +542,36 @@ describe('User Pool Client', () => { })).toThrow(/disableOAuth is set/); }); + test('EnableTokenRevocation is absent by default', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + + // WHEN + pool.addClient('Client'); + + // THEN + expect(stack).toHaveResourceLike('AWS::Cognito::UserPoolClient', { + EnableTokenRevocation: ABSENT, + }); + }); + + test('enableTokenRevocation', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + + // WHEN + pool.addClient('Client', { + enableTokenRevocation: true, + }); + + // THEN + expect(stack).toHaveResourceLike('AWS::Cognito::UserPoolClient', { + EnableTokenRevocation: true, + }); + }); + describe('token validity', () => { test('default', () => { // GIVEN From 4f5ffb9c8ba10f3f2f7ec1d9ed0c3d1de0081fff Mon Sep 17 00:00:00 2001 From: Julian Michel Date: Fri, 9 Jul 2021 21:31:28 +0000 Subject: [PATCH 2/5] describe enableTokenRevocation in readme --- packages/@aws-cdk/aws-cognito/README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md index 0c9c77ce42fdf..77a0cf91d5abe 100644 --- a/packages/@aws-cdk/aws-cognito/README.md +++ b/packages/@aws-cdk/aws-cognito/README.md @@ -603,6 +603,17 @@ pool.addClient('app-client', { }); ``` +[Token revocation](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html +) can be configured to be able to revoke refresh tokens in app clients. By default, token revocation is enabled for new user pools. The property can be used to enable the token revocation in existing app clients or to change the default behavior. + +```ts +const pool = new cognito.UserPool(this, 'Pool'); +pool.addClient('app-client', { + // ... + enableTokenRevocation: true, +}); +``` + ### Resource Servers A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an From 87e0779f9d9d523dd47a9fb5c6612d6d647be600 Mon Sep 17 00:00:00 2001 From: Julian Michel Date: Sat, 10 Jul 2021 08:15:42 +0000 Subject: [PATCH 3/5] fix tast case --- packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts index e6c16a1a159c0..ce2febe9af150 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts @@ -550,8 +550,8 @@ describe('User Pool Client', () => { pool.addClient('Client'); // THEN - expect(stack).toHaveResourceLike('AWS::Cognito::UserPoolClient', { - EnableTokenRevocation: ABSENT, + TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { + EnableTokenRevocation: Match.absentProperty(), }); }); @@ -566,7 +566,7 @@ describe('User Pool Client', () => { }); // THEN - expect(stack).toHaveResourceLike('AWS::Cognito::UserPoolClient', { + TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { EnableTokenRevocation: true, }); }); From 5c332d020c92731ffdfb5cd606955a080a83abcf Mon Sep 17 00:00:00 2001 From: Julian Michel Date: Mon, 12 Jul 2021 19:18:13 +0000 Subject: [PATCH 4/5] test case: set enableTokenRevocation in UserPoolClient --- .../aws-cognito/test/user-pool-client.test.ts | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts index ce2febe9af150..6877417f9fc4e 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts @@ -555,7 +555,7 @@ describe('User Pool Client', () => { }); }); - test('enableTokenRevocation', () => { + test('enableTokenRevocation in addClient', () => { // GIVEN const stack = new Stack(); const pool = new UserPool(stack, 'Pool'); @@ -571,6 +571,23 @@ describe('User Pool Client', () => { }); }); + test('enableTokenRevocation in UserPoolClient', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + + // WHEN + new UserPoolClient(stack, 'Client1', { + userPool: pool, + enableTokenRevocation: true, + }); + + // THEN + TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { + EnableTokenRevocation: true, + }); + }); + describe('token validity', () => { test('default', () => { // GIVEN From 313f65093d524ed63a09fec02e44ba3b4570ca99 Mon Sep 17 00:00:00 2001 From: Julian Michel Date: Sat, 7 Aug 2021 11:57:14 +0000 Subject: [PATCH 5/5] fix test, TemplateAssertions was renamed to Template --- packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts index 4022001dd97cb..d6fc81f28c43c 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts @@ -550,7 +550,7 @@ describe('User Pool Client', () => { pool.addClient('Client'); // THEN - TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { EnableTokenRevocation: Match.absentProperty(), }); }); @@ -566,7 +566,7 @@ describe('User Pool Client', () => { }); // THEN - TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { EnableTokenRevocation: true, }); }); @@ -583,7 +583,7 @@ describe('User Pool Client', () => { }); // THEN - TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { + Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', { EnableTokenRevocation: true, }); });