Skip to content

Commit

Permalink
feat(cognito): add support for token revocation in UserPoolClient (aw…
Browse files Browse the repository at this point in the history
…s#15317)

Add support for token revocation in UserPoolClient.

For new user pool clients, token revocation is enabled by default. Property `enableTokenRevocation` introduces the possibility to enable token revocation for existing user pool clients.

Closes aws#15126

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
  • Loading branch information
jumic authored and hollanddd committed Aug 26, 2021
1 parent 72550fe commit e06c8e8
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 0 deletions.
11 changes: 11 additions & 0 deletions packages/@aws-cdk/aws-cognito/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -618,6 +618,17 @@ pool.addClient('app-client', {
});
```
[Token revocation](https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html
) can be configured to be able to revoke refresh tokens in app clients. By default, token revocation is enabled for new user pools. The property can be used to enable the token revocation in existing app clients or to change the default behavior.
```ts
const pool = new cognito.UserPool(this, 'Pool');
pool.addClient('app-client', {
// ...
enableTokenRevocation: true,
});
```
### Resource Servers
A resource server is a server for access-protected resources. It handles authenticated requests from an app that has an
Expand Down
8 changes: 8 additions & 0 deletions packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,13 @@ export interface UserPoolClientOptions {
* @default - all standard and custom attributes
*/
readonly writeAttributes?: ClientAttributes;

/**
* Enable token revocation for this client.
* @see https://docs.aws.amazon.com/cognito/latest/developerguide/token-revocation.html#enable-token-revocation
* @default true for new user pool clients
*/
readonly enableTokenRevocation?: boolean;
}

/**
Expand Down Expand Up @@ -381,6 +388,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
supportedIdentityProviders: this.configureIdentityProviders(props),
readAttributes: props.readAttributes?.attributes(),
writeAttributes: props.writeAttributes?.attributes(),
enableTokenRevocation: props.enableTokenRevocation,
});
this.configureTokenValidity(resource, props);

Expand Down
47 changes: 47 additions & 0 deletions packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -541,6 +541,53 @@ describe('User Pool Client', () => {
})).toThrow(/disableOAuth is set/);
});

test('EnableTokenRevocation is absent by default', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');

// WHEN
pool.addClient('Client');

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
EnableTokenRevocation: Match.absentProperty(),
});
});

test('enableTokenRevocation in addClient', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');

// WHEN
pool.addClient('Client', {
enableTokenRevocation: true,
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
EnableTokenRevocation: true,
});
});

test('enableTokenRevocation in UserPoolClient', () => {
// GIVEN
const stack = new Stack();
const pool = new UserPool(stack, 'Pool');

// WHEN
new UserPoolClient(stack, 'Client1', {
userPool: pool,
enableTokenRevocation: true,
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Cognito::UserPoolClient', {
EnableTokenRevocation: true,
});
});

describe('token validity', () => {
test('default', () => {
// GIVEN
Expand Down

0 comments on commit e06c8e8

Please sign in to comment.