Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(cognito): add support for token revocation in UserPoolClient #15317

Merged
merged 8 commits into from
Aug 10, 2021
11 changes: 11 additions & 0 deletions packages/@aws-cdk/aws-cognito/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -603,6 +603,17 @@ pool.addClient('app-client', {
});
```

[Token revocation](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html
) can be configured to be able to revoke refresh tokens in app clients. By default, token revocation is enabled for new user pools. The property can be used to enable the token revocation in existing app clients or to change the default behavior.

```ts
const pool = new cognito.UserPool(this, 'Pool');
pool.addClient('app-client', {
// ...
enableTokenRevocation: true,
});
```

### Resource Servers

A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an
Expand Down
8 changes: 8 additions & 0 deletions packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,13 @@ export interface UserPoolClientOptions {
* @default - all standard and custom attributes
*/
readonly writeAttributes?: ClientAttributes;

/**
* Enable token revocation for this client.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation
* @default true for new user pool clients
*/
readonly enableTokenRevocation?: boolean;
}

/**
Expand Down Expand Up @@ -381,6 +388,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
supportedIdentityProviders: this.configureIdentityProviders(props),
readAttributes: props.readAttributes?.attributes(),
writeAttributes: props.writeAttributes?.attributes(),
enableTokenRevocation: props.enableTokenRevocation,
});
this.configureTokenValidity(resource, props);

Expand Down
47 changes: 47 additions & 0 deletions packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -541,6 +541,53 @@ describe('User Pool Client', () => {
})).toThrow(/disableOAuth is set/);
});

test('EnableTokenRevocation is absent by default', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');

// WHEN
pool.addClient('Client');

// THEN
TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
EnableTokenRevocation: Match.absentProperty(),
});
});

test('enableTokenRevocation in addClient', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');

// WHEN
pool.addClient('Client', {
enableTokenRevocation: true,
});

// THEN
TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
EnableTokenRevocation: true,
});
});

test('enableTokenRevocation in UserPoolClient', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');

// WHEN
new UserPoolClient(stack, 'Client1', {
userPool: pool,
enableTokenRevocation: true,
});

// THEN
TemplateAssertions.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
EnableTokenRevocation: true,
});
});

describe('token validity', () => {
test('default', () => {
// GIVEN
Expand Down