/
identitypool-user-pool-authentication-provider.ts
118 lines (103 loc) · 3.5 KB
/
identitypool-user-pool-authentication-provider.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import {
IUserPool,
IUserPoolClient,
} from 'aws-cdk-lib/aws-cognito';
import { Stack } from 'aws-cdk-lib/core';
import {
Construct, Node,
} from 'constructs';
import { IIdentityPool } from './identitypool';
/**
* Represents the concept of a User Pool Authentication Provider.
* You use user pool authentication providers to configure User Pools
* and User Pool Clients for use with Identity Pools
*/
export interface IUserPoolAuthenticationProvider {
/**
* The method called when a given User Pool Authentication Provider is added
* (for the first time) to an Identity Pool.
*/
bind(
scope: Construct,
identityPool: IIdentityPool,
options?: UserPoolAuthenticationProviderBindOptions
): UserPoolAuthenticationProviderBindConfig;
}
/**
* Props for the User Pool Authentication Provider
*/
export interface UserPoolAuthenticationProviderProps {
/**
* The User Pool of the Associated Identity Providers
*/
readonly userPool: IUserPool;
/**
* The User Pool Client for the provided User Pool
* @default - A default user pool client will be added to User Pool
*/
readonly userPoolClient?: IUserPoolClient;
/**
* Setting this to true turns off identity pool checks for this user pool to make sure the user has not been globally signed out or deleted before the identity pool provides an OIDC token or AWS credentials for the user
* @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-identitypool-cognitoidentityprovider.html
* @default false
*/
readonly disableServerSideTokenCheck?: boolean;
}
/**
* Represents UserPoolAuthenticationProvider Bind Options
*/
export interface UserPoolAuthenticationProviderBindOptions {}
/**
* Represents a UserPoolAuthenticationProvider Bind Configuration
*/
export interface UserPoolAuthenticationProviderBindConfig {
/**
* Client Id of the Associated User Pool Client
*/
readonly clientId: string;
/**
* The identity providers associated with the UserPool
*/
readonly providerName: string;
/**
* Whether to enable the identity pool's server side token check
*/
readonly serverSideTokenCheck: boolean;
}
/**
* Defines a User Pool Authentication Provider
*/
export class UserPoolAuthenticationProvider implements IUserPoolAuthenticationProvider {
/**
* The User Pool of the Associated Identity Providers
*/
private userPool: IUserPool;
/**
* The User Pool Client for the provided User Pool
*/
private userPoolClient: IUserPoolClient;
/**
* Whether to disable the pool's default server side token check
*/
private disableServerSideTokenCheck: boolean
constructor(props: UserPoolAuthenticationProviderProps) {
this.userPool = props.userPool;
this.userPoolClient = props.userPoolClient || this.userPool.addClient('UserPoolAuthenticationProviderClient');
this.disableServerSideTokenCheck = props.disableServerSideTokenCheck ?? false;
}
public bind(
scope: Construct,
identityPool: IIdentityPool,
_options?: UserPoolAuthenticationProviderBindOptions,
): UserPoolAuthenticationProviderBindConfig {
Node.of(identityPool).addDependency(this.userPool);
Node.of(identityPool).addDependency(this.userPoolClient);
const region = Stack.of(scope).region;
const urlSuffix = Stack.of(scope).urlSuffix;
return {
clientId: this.userPoolClient.userPoolClientId,
providerName: `cognito-idp.${region}.${urlSuffix}/${this.userPool.userPoolId}`,
serverSideTokenCheck: !this.disableServerSideTokenCheck,
};
}
}