From 7e1c015b825b4c51d6c1875592b78c12da5666a5 Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Tue, 29 Sep 2020 02:12:37 -0700 Subject: [PATCH 1/2] fix(cognito): callback URLs are specified when OAuth is disabled for user pool clients When the `UserPoolClient` property `disableOAuth` is set, callback URLs should not be rendered as it represents a list of allowed redirects for identity providers. Added in a condition that only renders the callback URL default of `https://example.com` if OAuth is enabled. Closes #10311 --- .../aws-cognito/lib/user-pool-client.ts | 2 +- .../aws-cognito/test/user-pool-client.test.ts | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+), 1 deletion(-) diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts index b799eb2035fa1..2b785db4ce4e2 100644 --- a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts +++ b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts @@ -320,7 +320,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient { explicitAuthFlows: this.configureAuthFlows(props), allowedOAuthFlows: props.disableOAuth ? undefined : this.configureOAuthFlows(), allowedOAuthScopes: props.disableOAuth ? undefined : this.configureOAuthScopes(props.oAuth), - callbackUrLs: callbackUrls && callbackUrls.length > 0 ? callbackUrls : undefined, + callbackUrLs: callbackUrls && callbackUrls.length > 0 && !props.disableOAuth ? callbackUrls : undefined, logoutUrLs: props.oAuth?.logoutUrls, allowedOAuthFlowsUserPoolClient: !props.disableOAuth, preventUserExistenceErrors: this.configurePreventUserExistenceErrors(props.preventUserExistenceErrors), diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts index 8266b73e61fbb..23782e8ecba32 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts @@ -175,6 +175,30 @@ describe('User Pool Client', () => { }); }); + test('callbackUrls are not rendered if OAuth is disabled ', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + + // WHEN + new UserPoolClient(stack, 'PoolClient', { + userPool: pool, + disableOAuth: true, + }); + + // THEN + expect(stack).not.toHaveResourceLike('AWS::CognitoUserPoolClient', { + CallbackURLs: ['https://example.com'], + }); + + expect(stack).toHaveResource('AWS::Cognito::UserPoolClient', { + AllowedOAuthFlowsUserPoolClient: false, + SupportedIdentityProviders: [ + 'COGNITO', + ], + }); + }); + test('fails when callbackUrls is empty for codeGrant or implicitGrant', () => { const stack = new Stack(); const pool = new UserPool(stack, 'Pool'); From b879e231924c3e822979a34bcecaea9de18a38a6 Mon Sep 17 00:00:00 2001 From: Shiv Lakshminarayan Date: Wed, 30 Sep 2020 02:28:32 -0700 Subject: [PATCH 2/2] update test to validate that callbackURLs property is absent --- .../aws-cognito/test/user-pool-client.test.ts | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts index 23782e8ecba32..10e4dc2711f31 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts @@ -187,15 +187,8 @@ describe('User Pool Client', () => { }); // THEN - expect(stack).not.toHaveResourceLike('AWS::CognitoUserPoolClient', { - CallbackURLs: ['https://example.com'], - }); - - expect(stack).toHaveResource('AWS::Cognito::UserPoolClient', { - AllowedOAuthFlowsUserPoolClient: false, - SupportedIdentityProviders: [ - 'COGNITO', - ], + expect(stack).toHaveResourceLike('AWS::Cognito::UserPoolClient', { + CallbackURLs: ABSENT, }); });