Describe the bug
The documentation for the authFlows attribute of UserPoolClient says that the default behaviour is "all auth flows disabled", however this is not the case. If no authFlows attribute is provided, it defaults to ALLOW_REFRESH_TOKEN_AUTH , ALLOW_CUSTOM_AUTH and ALLOW_USER_SRP_AUTH.
Expected Behavior
I expected there to be no AuthFlows activated for the client if I don't include the authFlowsattribute.
Current Behavior
My Client with no specified authFlows property gets these flows per default:
ALLOW_REFRESH_TOKEN_AUTH , ALLOW_CUSTOM_AUTH and ALLOW_USER_SRP_AUTH.
Reproduction Steps
this creates a client with auth flows, even though authFlows was not provided.
pool.addClient(clientName, {
userPoolClientName: clientName,
generateSecret: true,
enableTokenRevocation: true,
});
Possible Solution
In the below code, always pushing ALLOW_REFRESH_TOKEN_AUTH is a workaround so that CfnUserPoolClient always gets a value for explicitAuthFlows, otherwise it defaults to the values mentioned above. However, if the whole property is missing it returns undefined which creates the default flows.
My suggestion (to at least limit the impact) is to push the ALLOW_REFRESH_TOKEN_AUTH if the property is missing, just like we do if any of the authFlows have been set.
An even cleaner solution would be to update the behavior of CfnUserPoolClient so it doesn't create anything per default, but I am not sure where that function resides or how possible that is.
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
private configureAuthFlows(props: UserPoolClientProps): string[] | undefined {
if (!props.authFlows || Object.keys(props.authFlows).length === 0) return undefined;
const authFlows: string[] = [];
if (props.authFlows.userPassword) { authFlows.push('ALLOW_USER_PASSWORD_AUTH'); }
if (props.authFlows.adminUserPassword) { authFlows.push('ALLOW_ADMIN_USER_PASSWORD_AUTH'); }
if (props.authFlows.custom) { authFlows.push('ALLOW_CUSTOM_AUTH'); }
if (props.authFlows.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); }
// refreshToken should always be allowed if authFlows are present
authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');
return authFlows;
}
Additional Information/Context
No response
CDK CLI Version
2.87.0
Framework Version
No response
Node.js Version
18
OS
OSX
Language
Typescript
Language Version
No response
Other information
No response
Describe the bug
The documentation for the authFlows attribute of UserPoolClient says that the default behaviour is "all auth flows disabled", however this is not the case. If no
authFlowsattribute is provided, it defaults to ALLOW_REFRESH_TOKEN_AUTH , ALLOW_CUSTOM_AUTH and ALLOW_USER_SRP_AUTH.Expected Behavior
I expected there to be no AuthFlows activated for the client if I don't include the
authFlowsattribute.Current Behavior
My Client with no specified
authFlowsproperty gets these flows per default:ALLOW_REFRESH_TOKEN_AUTH , ALLOW_CUSTOM_AUTH and ALLOW_USER_SRP_AUTH.
Reproduction Steps
this creates a client with auth flows, even though
authFlowswas not provided.Possible Solution
In the below code, always pushing ALLOW_REFRESH_TOKEN_AUTH is a workaround so that CfnUserPoolClient always gets a value for
explicitAuthFlows, otherwise it defaults to the values mentioned above. However, if the whole property is missing it returns undefined which creates the default flows.My suggestion (to at least limit the impact) is to push the ALLOW_REFRESH_TOKEN_AUTH if the property is missing, just like we do if any of the authFlows have been set.
An even cleaner solution would be to update the behavior of CfnUserPoolClient so it doesn't create anything per default, but I am not sure where that function resides or how possible that is.
https://github.com/aws/aws-cdk/blob/main/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts
Additional Information/Context
No response
CDK CLI Version
2.87.0
Framework Version
No response
Node.js Version
18
OS
OSX
Language
Typescript
Language Version
No response
Other information
No response