feat(cognito): support emailVerified for AttributeMapping interface

packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.apple.ts

@@ -23,6 +23,7 @@ new UserPoolIdentityProviderApple(stack, 'apple', {
   attributeMapping: {
     familyName: ProviderAttribute.APPLE_LAST_NAME,
     givenName: ProviderAttribute.APPLE_FIRST_NAME,
+    emailVerified: ProviderAttribute.APPLE_EMAIL_VERIFIED,
   },
 });
 

packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.google.js.snapshot/integ-user-pool-idp-google.template.json

@@ -88,6 +88,7 @@
      "given_name": "given_name",
      "family_name": "family_name",
      "email": "email",
+     "email_verified": "email_verified",
      "gender": "gender",
      "names": "names"
     },

packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.google.ts

@@ -35,6 +35,7 @@ new UserPoolIdentityProviderGoogle(stack, 'google', {
     givenName: ProviderAttribute.GOOGLE_GIVEN_NAME,
     familyName: ProviderAttribute.GOOGLE_FAMILY_NAME,
     email: ProviderAttribute.GOOGLE_EMAIL,
+    emailVerified: ProviderAttribute.GOOGLE_EMAIL_VERIFIED,
     gender: ProviderAttribute.GOOGLE_GENDER,
     custom: {
       names: ProviderAttribute.GOOGLE_NAMES,

packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.oidc.js.snapshot/integ-user-pool-idp-google.template.json

@@ -73,7 +73,8 @@
    "Type": "AWS::Cognito::UserPoolIdentityProvider",
    "Properties": {
     "AttributeMapping": {
-     "phone_number": "phone_number"
+     "phone_number": "phone_number",
+     "email_verified": "email_verified"
     },
     "ProviderDetails": {
      "client_id": "client-id",

packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-idp.oidc.ts

@@ -27,6 +27,7 @@ new UserPoolIdentityProviderOidc(stack, 'cdk', {
   scopes: ['openid', 'phone'],
   attributeMapping: {
     phoneNumber: ProviderAttribute.other('phone_number'),
+    emailVerified: ProviderAttribute.other('email_verified'),
   },
 });
 

packages/aws-cdk-lib/aws-cognito/README.md

@@ -1002,3 +1002,21 @@ const userpool = new cognito.UserPool(this, 'UserPool', {
 ```
 
 By default deletion protection is disabled.
+
+
+1### `email_verified` Attribute Mapping
+
+If you use a third-party identity provider, you can specify the `email_verified` attribute in attributeMapping.
+
+```typescript
+const userpool = new cognito.UserPool(this, 'Pool');
+
+new UserPoolIdentityProviderGoogle(stack, 'google', {
+  userPool: userpool,
+  clientId: 'google-client-id',
+  attributeMapping: {
+    email: ProviderAttribute.GOOGLE_EMAIL,
+    emailVerified: ProviderAttribute.GOOGLE_EMAIL_VERIFIED, // you can mapping the `email_verified` attribute.
+  },
+});
+```

packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/base.ts

@@ -6,6 +6,8 @@ import { IUserPool } from '../user-pool';
 export class ProviderAttribute {
   /** The email attribute provided by Apple */
   public static readonly APPLE_EMAIL = new ProviderAttribute('email');
+  /** The email verified atribute provided by Apple */
+  public static readonly APPLE_EMAIL_VERIFIED = new ProviderAttribute('email_verified');
   /** The name attribute provided by Apple */
   public static readonly APPLE_NAME = new ProviderAttribute('name');
   /** The first name attribute provided by Apple */
@@ -51,6 +53,8 @@ export class ProviderAttribute {
   public static readonly GOOGLE_PHONE_NUMBERS = new ProviderAttribute('phoneNumbers');
   /** The email attribute provided by Google */
   public static readonly GOOGLE_EMAIL = new ProviderAttribute('email');
+  /** The email verified attribute provided by Google */
+  public static readonly GOOGLE_EMAIL_VERIFIED = new ProviderAttribute('email_verified');
   /** The name attribute provided by Google */
   public static readonly GOOGLE_NAME = new ProviderAttribute('name');
   /** The picture attribute provided by Google */
@@ -98,6 +102,12 @@ export interface AttributeMapping {
    */
   readonly email?: ProviderAttribute;
 
+  /**
+   * The user's e-mail address is verification.
+   * @default - not mapped
+   */
+  readonly emailVerified?: ProviderAttribute;
+
   /**
    * The surname or last name of user.
    * @default - not mapped

packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/apple.test.ts

@@ -92,6 +92,7 @@ describe('UserPoolIdentityProvider', () => {
         attributeMapping: {
           familyName: ProviderAttribute.APPLE_LAST_NAME,
           givenName: ProviderAttribute.APPLE_FIRST_NAME,
+          emailVerified: ProviderAttribute.APPLE_EMAIL_VERIFIED,
           custom: {
             customAttr1: ProviderAttribute.APPLE_EMAIL,
             customAttr2: ProviderAttribute.other('sub'),

packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/base.test.ts

@@ -46,6 +46,7 @@ describe('UserPoolIdentityProvider', () => {
       expect(idp.mapping).toStrictEqual({
         given_name: 'name',
         birthdate: 'birthday',
+        email_verified: 'email_verified',
       });
     });
 

packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/google.test.ts

@@ -80,6 +80,7 @@ describe('UserPoolIdentityProvider', () => {
         attributeMapping: {
           givenName: ProviderAttribute.GOOGLE_NAME,
           address: ProviderAttribute.other('google-address'),
+          emailVerified: ProviderAttribute.GOOGLE_EMAIL_VERIFIED,
           custom: {
             customAttr1: ProviderAttribute.GOOGLE_EMAIL,
             customAttr2: ProviderAttribute.other('google-custom-attr'),