AWS::Cognito::UserPoolClient-AllowedOAuthFlows

[benbridts]

AllowedOAuthFlows can be set by the API, but not with CloudFormation

Create and Update are both supported without replacement.

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.htm
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_UpdateUserPoolClient.html

Category: Security, Identity, & Compliance

[nuttmeister]

Hey,

Please have a look at our custom resource for this:
https://github.com/dwtechnologies/custom-cf/tree/master/cognito/userpool-client

And us know if it doesn't work for your usecase and we would be happy to update it.

[jacintoArias]

Is this not already available?

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflows

[castaway2000]

@jacintoArias documentation is inconsistent with the actual implementation. the enum expected is not the same that the wizard walks you through and cloudformation expects different values. 'token' is not one of them despite being listed in the documentation for CFT. I checked with our amazon proserv team and they confirmed that the template used was correctly following the template. this is a bug with AWS for sure.

following the documentation to the letter.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflows

AND

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes

Both these errors happen in cloudformation:
1 validation error detected: Value '[token, code]' at 'allowedOAuthFlows' failed to satisfy constraint: Member must satisfy constraint: [Member must satisfy enum value set: [implicit, client_credentials, code]] (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: InvalidParameterException; Request ID: 35361b9f-89ef-4392-b131-53d05491a71e)

AND

Invalid scope requested: Cognito (Service: AWSCognitoIdentityProvider; Status Code: 400; Error Code: ScopeDoesNotExistException; Request ID: e645a434-a37d-4e02-a608-ea8661e151a6)

in the above errors you can clearly see that the API is inconsistent with cloudformation and the respective documentation.

[congr]

AllowedOAuthFlows can be set by the API, but not with CloudFormation

--> I'd like to clarify that Cloudformation supports AllowedOAuthFlows.
I know the document is not well-defined, but I also figured it out by testing a couple of days and realized cloudformation works fine. I will ask the proper team for the documentation.

You can set like this.

  CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    DependsOn: AmazonFederateIdentityProvider
    Properties:
      AllowedOAuthFlows:
        - code
      AllowedOAuthScopes:
        - email
        - openid

[benbridts]

Is this not already available?

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflows

It seems to have been added in august, but it isn't mentioned in the CloudFormation release notes.

Documentation update where it was added: awsdocs/aws-cloudformation-user-guide@c9b84e8#diff-09cd4c20036ee265dc44b36968ce414aR15

[rohits-spec]

This has been addressed https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthflows