aws · jwoehrle · May 7, 2024 · May 17, 2024 · May 23, 2024 · Jun 17, 2024
diff --git a/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts b/packages/aws-cdk-lib/aws-cognito/lib/user-pool-idps/oidc.ts
@@ -1,7 +1,7 @@
 import { Construct } from 'constructs';
 import { UserPoolIdentityProviderProps } from './base';
 import { UserPoolIdentityProviderBase } from './private/user-pool-idp-base';
-import { Names, Token } from '../../../core';
+import { Names, SecretValue, Token } from '../../../core';
 import { CfnUserPoolIdentityProvider } from '../cognito.generated';
 
 /**
@@ -14,9 +14,17 @@ export interface UserPoolIdentityProviderOidcProps extends UserPoolIdentityProvi
   readonly clientId: string;
 
   /**
-   * The client secret
+   * The client secret as a plain text string. Exactly one of clientSecret or clientSecretValue has to be provided.
+   * @default none
+   * @deprecated use clientSecretValue instead
    */
-  readonly clientSecret: string;
+  readonly clientSecret?: string;
+
+  /**
+   * The client secret read from a @SecretValue. Exactly one of clientSecret or clientSecretValue has to be provided.
+   * @default none
+   */
+  readonly clientSecretValue?: SecretValue;
 
   /**
    * Issuer URL
@@ -109,13 +117,19 @@ export class UserPoolIdentityProviderOidc extends UserPoolIdentityProviderBase {
 
     const scopes = props.scopes ?? ['openid'];
 
+    //at least one of the properties must be configured
+    if ((!props.clientSecret && !props.clientSecretValue) ||
+        (props.clientSecret && props.clientSecretValue)) {
+      throw new Error('Exactly one of "clientSecret" or "clientSecretValue" must be configured.');
+    }
+
     const resource = new CfnUserPoolIdentityProvider(this, 'Resource', {
       userPoolId: props.userPool.userPoolId,
       providerName: this.getProviderName(props.name),
       providerType: 'OIDC',
       providerDetails: {
         client_id: props.clientId,
-        client_secret: props.clientSecret,
+        client_secret: props.clientSecretValue ? props.clientSecretValue.unsafeUnwrap() : props.clientSecret,
         authorize_scopes: scopes.join(' '),
         attributes_request_method: props.attributeRequestMethod ?? OidcAttributeRequestMethod.GET,
         oidc_issuer: props.issuerUrl,

diff --git a/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts b/packages/aws-cdk-lib/aws-cognito/test/user-pool-idps/oidc.test.ts
@@ -1,5 +1,5 @@
 import { Template } from '../../../assertions';
-import { Stack } from '../../../core';
+import { SecretValue, Stack } from '../../../core';
 import { ProviderAttribute, UserPool, UserPoolIdentityProviderOidc } from '../../lib';
 
 describe('UserPoolIdentityProvider', () => {
@@ -226,5 +226,35 @@ describe('UserPoolIdentityProvider', () => {
         ProviderName: 'oidcoidcoidcoidccoidcoidcoidcxyz',
       });
     });
+
+    test('throws with invalid param combination when clientSecret and clientSecretValue are passed', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'userpool');
+
+      // THEN
+      expect(() => new UserPoolIdentityProviderOidc(stack, 'userpoolidp', {
+        userPool: pool,
+        name: 'xy',
+        clientId: 'client-id',
+        clientSecret: 'client-secret',
+        clientSecretValue: SecretValue.unsafePlainText('client-secret'),
+        issuerUrl: 'https://my-issuer-url.com',
+      })).toThrow(/Exactly one of "clientSecret" or "clientSecretValue" must be configured./);
+    });
+
+    test('throws with invalid param combination when neither clientSecret nor clientSecretValue are passed', () => {
+      // GIVEN
+      const stack = new Stack();
+      const pool = new UserPool(stack, 'userpool');
+
+      // THEN
+      expect(() => new UserPoolIdentityProviderOidc(stack, 'userpoolidp', {
+        userPool: pool,
+        name: 'xy',
+        clientId: 'client-id',
+        issuerUrl: 'https://my-issuer-url.com',
+      })).toThrow(/Exactly one of "clientSecret" or "clientSecretValue" must be configured./);
+    });
   });
 });