Cognito UserPoolClient and UserPoolDomain

[toomeydanielj]

Hello,
I'm experiencing two issues with Cognito:

1. User Pool Clients. My client shows up and when I hit the + in the left column of the selection table to expand it, it shows all of the properties that I expect (ReadAttributes, WriteAttributes, ExplicitAuthFlows, SupportedIdentityProviders, CallbackURLs, LogoutURLs, AllowedOAuthFlows, AllowedOauthScopes, AllowedOAuthFlowsUserPoolClient, and PreventUserExistenceErrors).

However, when I select it and hit Generate, I only get ReadAttributes, WriteAttributes, and ExplicitAuthFlows. It's missing all of the other properties like CallbackURLs, LogoutURLs, and AllowedOAuthScopes for example.

Is there a reason those don't show up when I Generate?

2. My User Pool Domain simply doesn't show up. (No matching records found). I'm not using a custom domain, just the Amazon Cognito Domain with a user specified prefix. The output would look similar to this:

UserPoolDomain: 
  Type: AWS::Cognito::UserPoolDomain 
  Properties:
    UserPoolId: !Ref UserPool 
    Domain: "my-test-user-pool-domain"

Are only custom domains supported?

[iann0036]

Hey @toomeydanielj,

Thanks heaps for raising!

For the User Pool Clients, I added the mapping to the additional fields and that resource should be comprehensive again now.

For the User Pool Domains, I noticed a logic error that meant domains would never be generated which I've attempted to fix. The logic for these domains is a little tricky when compensating for prefix vs. custom domains, so give the updated version a shot and let me know if you still have issues with it.

[toomeydanielj]

Thank you for the quick turnaround!

The User Pool Client issue is fixed, I am now seeing all of the expected properties when hitting Generate.

However, I am still not seeing my User Pool Domain show up.

[iann0036]

Hey @toomeydanielj,

Thanks for letting me know. I've added some additional changes to the User Pool Domain logic which should now fix it 🤞

[toomeydanielj]

@iann0036 It works! Thank you!

[toomeydanielj]

@iann0036 I worked through a couple more quirks while deploying the generated CloudFormation.

1. "Please use TemporaryPasswordValidityDays in PasswordPolicy instead of UnusedAccountValidityDays"

In the PasswordPolicy, it correctly outputs TemporaryPasswordValidityDays. A few lines later, the AdminCreateUserConfig outputs UnusedAccountValidityDays. Apparently, you can't use both of these in the same pool.

Note
If you set a value for TemporaryPasswordValidityDays in PasswordPolicy, that value will be used and UnusedAccountValidityDays will be deprecated for that user pool.

https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cognito-userpool-admincreateuserconfig.html
https://forums.aws.amazon.com/thread.jspa?threadID=318380

Solution:

AdminCreateUserConfig:
    AllowAdminCreateUserOnly: false
    UnusedAccountValidityDays: 7

to

AdminCreateUserConfig:
    AllowAdminCreateUserOnly: false

2. "Validation error detected: Value null at 'customDomainConfig.certificateArn' failed to satisfy constraint: Member must not be null"

I know you said it was difficult to detect if you're using a custom domain or not. But for my prefix domain, it still generates an CustomDomainConfig property. That cannot be empty, so it needs to be omitted for prefix domains.

Solution:

CognitoUserPoolDomain:
    Type: "AWS::Cognito::UserPoolDomain"
    Properties:
        Domain: "my-domain"
        CustomDomainConfig: {}
        UserPoolId: !Ref CognitoUserPool

To:

CognitoUserPoolDomain:
    Type: "AWS::Cognito::UserPoolDomain"
    Properties:
        Domain: "my-domain"
        UserPoolId: !Ref CognitoUserPool

Both of these worked after the updates! Thanks again!

[iann0036]

Hey @toomeydanielj,

Thanks again for those notes. That deprecated field issue is a fun one 😏.

Latest updates should cover it.