(cognito): UserPoolClient does not correctly respect authFlows

[kazkansouh]

I have a simple definition such as:

    const userPoolClient = new UserPoolClient(this, 'MyUserPool', {
      userPool,
      oAuth: {
        callbackUrls: ['http://localhost/callback'],
        flows: {
          authorizationCodeGrant: true,
        },
        scopes: [OAuthScope.OPENID, OAuthScope.PROFILE],
      },
      generateSecret: false,
      authFlows: {
        custom: false,
      },
    });

Notice, that it sets the custom auth flow to to false. However, after deploying this the following is observed in the console:

I.e. both custom and SRP are enabled without me specifying this.

Cause

I believe the below function is at fault as it only checks if any values are true before setting the CloudFormation property ExplicitAuthFlows.

aws-cdk/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts

Lines 410 to 428 in 1d54a45

	private configureAuthFlows(props: UserPoolClientProps): string[] | undefined {
	if (!props.authFlows) return undefined;
	const authFlows: string[] = [];
	if (props.authFlows.userPassword) { authFlows.push('ALLOW_USER_PASSWORD_AUTH'); }
	if (props.authFlows.adminUserPassword) { authFlows.push('ALLOW_ADMIN_USER_PASSWORD_AUTH'); }
	if (props.authFlows.custom) { authFlows.push('ALLOW_CUSTOM_AUTH'); }
	if (props.authFlows.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); }
	// refreshToken should always be allowed if authFlows are present
	if (authFlows.length > 0) {
	authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');
	}
	if (authFlows.length === 0) {
	return undefined;
	}
	return authFlows;
	}

Possible Solution

Possibly the following:

aws-cdk/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts

Lines 419 to 422 in 1d54a45

	// refreshToken should always be allowed if authFlows are present
	if (authFlows.length > 0) {
	authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');
	}

Should be changed to unconditionally push ALLOW_REFRESH_TOKEN_AUTH (as the case props.authFlows is undefined is already handled). I.e., it should be changed to:

authFlows.push('ALLOW_REFRESH_TOKEN_AUTH'); 

This would mean when the user provides a authFlows property the default behaviour will always be replaced, not only if a true value is provided for one of the options.

[diego-santacruz]

I stumbled on this problem today.
As explained above in other words, when all authFlows properties are false, or no authFlows are specified there is no ExplicitAuthFlows property in the resulting CloudFormation template. Although not clear in the CloudFormation doc nor the Cognito API, this creates a client with the "default" value for the allowed auth flows, which custom, SRP and refresh token flows enabled as shown above, which is not what the CDK UserPoolClient doc indicates.

As proposed above the expected behavior would be achieved by always including ALLOW_REFRESH_TOKEN_AUTH in ExplicitAuthFlows, as that flow must always be accepted.

I have added userPoolClient.node.defaultChild.addPropertyOverride('ExplicitAuthFlows', ['ALLOW_REFRESH_TOKEN_AUTH']) to my code as a workaround.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.