Skip to content

Data Source: awsCognitoUserPoolClient

Provides a Cognito User Pool Client resource.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.dataAwsCognitoUserPoolClient.DataAwsCognitoUserPoolClient(
  this,
  "client",
  {
    clientId: "38fjsnc484p94kpqsnet7mpld0",
    userPoolId: "us-west-2_aaaaaaaaa",
  }
);

Argument Reference

The following arguments are required:

  • clientId - (Required) Client Id of the user pool.
  • userPoolId - (Required) User pool the client belongs to.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • accessTokenValidity - (Optional) Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in tokenValidityUnits.
  • allowedOauthFlowsUserPoolClient - (Optional) Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
  • allowedOauthFlows - (Optional) List of allowed OAuth flows (code, implicit, client_credentials).
  • allowedOauthScopes - (Optional) List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
  • analyticsConfiguration - (Optional) Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.
  • callbackUrls - (Optional) List of allowed callback URLs for the identity providers.
  • clientSecret - Client secret of the user pool client.
  • defaultRedirectUri - (Optional) Default redirect URI. Must be in the list of callback URLs.
  • enableTokenRevocation - (Optional) Enables or disables token revocation.
  • explicitAuthFlows - (Optional) List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
  • generateSecret - (Optional) Should an application secret be generated.
  • idTokenValidity - (Optional) Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. This value will be overridden if you have entered a value in tokenValidityUnits.
  • logoutUrls - (Optional) List of allowed logout URLs for the identity providers.
  • preventUserExistenceErrors - (Optional) Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to enabled and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to legacy, those APIs will return a userNotFoundException exception if the user does not exist in the user pool.
  • readAttributes - (Optional) List of user pool attributes the application client can read from.
  • refreshTokenValidity - (Optional) Time limit in days refresh tokens are valid for.
  • supportedIdentityProviders - (Optional) List of provider names for the identity providers that are supported on this client. Uses the providerName attribute of awsCognitoIdentityProvider resource(s), or the equivalent string(s).
  • tokenValidityUnits - (Optional) Configuration block for units in which the validity times are represented in. Detailed below.
  • writeAttributes - (Optional) List of user pool attributes the application client can write to.

analyticsConfiguration

Either applicationArn or applicationId is required.

  • applicationArn - (Optional) Application ARN for an Amazon Pinpoint application. Conflicts with externalId and roleArn.
  • applicationId - (Optional) Application ID for an Amazon Pinpoint application.
  • externalId - (Optional) ID for the Analytics Configuration. Conflicts with applicationArn.
  • roleArn - (Optional) ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with applicationArn.
  • userDataShared (Optional) If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.

tokenValidityUnits

Valid values for the following arguments are: seconds, minutes, hours or days.

  • accessToken - (Optional) Time unit in for the value in accessTokenValidity, defaults to hours.
  • idToken - (Optional) Time unit in for the value in idTokenValidity, defaults to hours.
  • refreshToken - (Optional) Time unit in for the value in refreshTokenValidity, defaults to days.