PR feedback

packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts

@@ -1,7 +1,6 @@
 import { Construct, IResource, Resource } from '@aws-cdk/core';
 import { CfnUserPoolClient } from './cognito.generated';
 import { IUserPool } from './user-pool';
-import { IUserPoolIdentityProvider } from './user-pool-idp';
 
 /**
  * Types of authentication flow
@@ -146,6 +145,27 @@ export class OAuthScope {
   }
 }
 
+/**
+ * Identity providers supported by the UserPoolClient
+ */
+export interface SupportedIdentityProviders {
+  /**
+   * Whether users can sign in directly as a user of the User Pool.
+   * @default true
+   */
+  readonly cognito?: boolean;
+  /**
+   * Whether users can sign in using 'Facebook Login'.
+   * @default false
+   */
+  readonly facebook?: boolean;
+  /**
+   * Whether users can sign in using 'Login With Amazon'.
+   * @default false
+   */
+  readonly amazon?: boolean;
+}
+
 /**
  * Options to create a UserPoolClient
  */
@@ -185,18 +205,13 @@ export interface UserPoolClientOptions {
   readonly preventUserExistenceErrors?: boolean;
 
   /**
-   * Whether users registered in the user pool should be able to sign in using this client.
-   * If this is set to `true` and `identityProviders` are set, the client will only allow sign in via
-   * third-party identity providers.
-   * @default true
+   * The list of identity providers that users should be able to use to sign in using this client.
+   *
+   * @default - supports all identity providers that are registered with the user pool. If the user pool and/or
+   * identity providers are imported, either specify this option explicitly or ensure that the identity providers are
+   * registered with the user pool using the `UserPool.registerIdentityProvider()` API.
    */
-  readonly allowUserPoolIdentities?: boolean;
-
-  /**
-   * The list of federated identity providers that users should be able to use to sign in using this client.
-   * @default - no identity providers
-   */
-  readonly identityProviders?: IUserPoolIdentityProvider[];
+  readonly supportedIdentityProviders?: SupportedIdentityProviders;
 }
 
 /**
@@ -343,14 +358,19 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
   }
 
   private configureIdentityProviders(props: UserPoolClientProps): string[] | undefined {
-    const providers: Set<string> = new Set();
-    if (props.allowUserPoolIdentities === undefined || props.allowUserPoolIdentities === true) {
-      providers.add('COGNITO');
-    }
-    if (props.identityProviders) {
-      props.identityProviders.forEach((p) => providers.add(p.providerName));
+    let providers: string[];
+    if (!props.supportedIdentityProviders) {
+      const providerSet = new Set(props.userPool.identityProviders.map((p) => p.providerName));
+      providerSet.add('COGNITO');
+      providers = Array.from(providerSet);
+    } else {
+      providers = [];
+      const idps = props.supportedIdentityProviders;
+      if (idps.cognito === undefined || idps.cognito === true) { providers.push('COGNITO'); }
+      if (idps.facebook) { providers.push('Facebook'); }
+      if (idps.amazon) { providers.push('LoginWithAmazon'); }
     }
-    if (providers.size === 0) { return undefined; }
+    if (providers.length === 0) { return undefined; }
     return Array.from(providers);
   }
 }

packages/@aws-cdk/aws-cognito/lib/user-pool-idp.ts

@@ -1,4 +1,4 @@
-import { Construct, IResource } from '@aws-cdk/core';
+import { Construct, IResource, Resource } from '@aws-cdk/core';
 import {
   UserPoolIdentityProviderAmazon,
   UserPoolIdentityProviderAmazonProps,
@@ -18,23 +18,33 @@ export interface IUserPoolIdentityProvider extends IResource {
 }
 
 /**
- * Options to integrate with the various social identity providers.
+ * User pool third-party identity providers
  */
 export class UserPoolIdentityProvider {
+
+  /**
+   * Import an existing UserPoolIdentityProvider
+   */
+  public static fromProviderName(scope: Construct, id: string, providerName: string): IUserPoolIdentityProvider {
+    class Import extends Resource implements IUserPoolIdentityProvider {
+      public readonly providerName: string = providerName;
+    }
+
+    return new Import(scope, id);
+  }
+
   /**
-   * Federate with 'Facebook Login'
-   * @see https://developers.facebook.com/docs/facebook-login/
+   * Federate login with 'Login with Amazon'
    */
-  public static facebook(scope: Construct, id: string, options: UserPoolIdentityProviderFacebookProps) {
-    return new UserPoolIdentityProviderFacebook(scope, id, options);
+  public static amazon(scope: Construct, id: string, props: UserPoolIdentityProviderAmazonProps) {
+    return new UserPoolIdentityProviderAmazon(scope, id, props);
   }
 
   /**
-   * Federate with 'Login with Amazon'
-   * @see https://developer.amazon.com/apps-and-games/login-with-amazon
+   * Federate login with 'Facebook Login'
    */
-  public static amazon(scope: Construct, id: string, options: UserPoolIdentityProviderAmazonProps) {
-    return new UserPoolIdentityProviderAmazon(scope, id, options);
+  public static facebook(scope: Construct, id: string, props: UserPoolIdentityProviderFacebookProps) {
+    return new UserPoolIdentityProviderFacebook(scope, id, props);
   }
 
   private constructor() {}

packages/@aws-cdk/aws-cognito/lib/user-pool-idps/amazon.ts

@@ -1,17 +1,11 @@
-import { Construct, Resource } from '@aws-cdk/core';
+import { Construct } from '@aws-cdk/core';
 import { CfnUserPoolIdentityProvider } from '../cognito.generated';
-import { IUserPool } from '../user-pool';
-import { IUserPoolIdentityProvider } from '../user-pool-idp';
+import { UserPoolIdentityProviderBase, UserPoolIdentityProviderProps } from './base';
 
 /**
  * Properties to initialize UserPoolAmazonIdentityProvider
  */
-export interface UserPoolIdentityProviderAmazonProps {
-  /**
-   * The user pool to which this construct provides identities.
-   */
-  readonly userPool: IUserPool;
-
+export interface UserPoolIdentityProviderAmazonProps extends UserPoolIdentityProviderProps {
   /**
    * The client id recognized by 'Login with Amazon' APIs.
    * @see https://developer.amazon.com/docs/login-with-amazon/security-profile.html#client-identifier
@@ -34,11 +28,11 @@ export interface UserPoolIdentityProviderAmazonProps {
  * Represents a identity provider that integrates with 'Login with Amazon'
  * @resource AWS::Cognito::UserPoolIdentityProvider
  */
-export class UserPoolIdentityProviderAmazon extends Resource implements IUserPoolIdentityProvider {
+export class UserPoolIdentityProviderAmazon extends UserPoolIdentityProviderBase {
   public readonly providerName: string;
 
   constructor(scope: Construct, id: string, props: UserPoolIdentityProviderAmazonProps) {
-    super(scope, id);
+    super(scope, id, props);
 
     const scopes = props.scopes ?? [ 'profile' ];
 

packages/@aws-cdk/aws-cognito/lib/user-pool-idps/base.ts

@@ -0,0 +1,25 @@
+import { Construct, Resource } from '@aws-cdk/core';
+import { IUserPool } from '../user-pool';
+import { IUserPoolIdentityProvider } from '../user-pool-idp';
+
+/**
+ * Properties to create a new instance of UserPoolIdentityProvider
+ */
+export interface UserPoolIdentityProviderProps {
+  /**
+   * The user pool to which this construct provides identities.
+   */
+  readonly userPool: IUserPool;
+}
+
+/**
+ * Options to integrate with the various social identity providers.
+ */
+export abstract class UserPoolIdentityProviderBase extends Resource implements IUserPoolIdentityProvider {
+  public abstract readonly providerName: string;
+
+  public constructor(scope: Construct, id: string, props: UserPoolIdentityProviderProps) {
+    super(scope, id);
+    props.userPool.registerIdentityProvider(this);
+  }
+}

packages/@aws-cdk/aws-cognito/lib/user-pool-idps/facebook.ts

@@ -1,17 +1,11 @@
-import { Construct, Resource } from '@aws-cdk/core';
+import { Construct } from '@aws-cdk/core';
 import { CfnUserPoolIdentityProvider } from '../cognito.generated';
-import { IUserPool } from '../user-pool';
-import { IUserPoolIdentityProvider } from '../user-pool-idp';
+import { UserPoolIdentityProviderBase, UserPoolIdentityProviderProps } from './base';
 
 /**
  * Properties to initialize UserPoolFacebookIdentityProvider
  */
-export interface UserPoolIdentityProviderFacebookProps {
-  /**
-   * The user pool to which this construct provides identities.
-   */
-  readonly userPool: IUserPool;
-
+export interface UserPoolIdentityProviderFacebookProps extends UserPoolIdentityProviderProps {
   /**
    * The client id recognized by Facebook APIs.
    */
@@ -38,11 +32,11 @@ export interface UserPoolIdentityProviderFacebookProps {
  * Represents a identity provider that integrates with 'Facebook Login'
  * @resource AWS::Cognito::UserPoolIdentityProvider
  */
-export class UserPoolIdentityProviderFacebook extends Resource implements IUserPoolIdentityProvider {
+export class UserPoolIdentityProviderFacebook extends UserPoolIdentityProviderBase {
   public readonly providerName: string;
 
   constructor(scope: Construct, id: string, props: UserPoolIdentityProviderFacebookProps) {
-    super(scope, id);
+    super(scope, id, props);
 
     const scopes = props.scopes ?? [ 'public_profile' ];
 

packages/@aws-cdk/aws-cognito/lib/user-pool-idps/index.ts

@@ -1,2 +1,3 @@
+export * from './base';
 export * from './amazon';
 export * from './facebook';

packages/@aws-cdk/aws-cognito/lib/user-pool.ts

@@ -5,6 +5,7 @@ import { CfnUserPool } from './cognito.generated';
 import { ICustomAttribute, RequiredAttributes } from './user-pool-attr';
 import { UserPoolClient, UserPoolClientOptions } from './user-pool-client';
 import { UserPoolDomain, UserPoolDomainOptions } from './user-pool-domain';
+import { IUserPoolIdentityProvider } from './user-pool-idp';
 
 /**
  * The different ways in which users of this pool can sign up or sign in.
@@ -525,6 +526,11 @@ export interface IUserPool extends IResource {
    */
   readonly userPoolArn: string;
 
+  /**
+   * Get all identity providers registered with this user pool.
+   */
+  readonly identityProviders: IUserPoolIdentityProvider[];
+
   /**
    * Add a new app client to this user pool.
    * @see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
@@ -536,11 +542,17 @@ export interface IUserPool extends IResource {
    * @see https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html
    */
   addDomain(id: string, options: UserPoolDomainOptions): UserPoolDomain;
+
+  /**
+   * Register an identity provider with this user pool.
+   */
+  registerIdentityProvider(provider: IUserPoolIdentityProvider): void;
 }
 
 abstract class UserPoolBase extends Resource implements IUserPool {
   public abstract readonly userPoolId: string;
   public abstract readonly userPoolArn: string;
+  public readonly identityProviders: IUserPoolIdentityProvider[] = [];
 
   public addClient(id: string, options?: UserPoolClientOptions): UserPoolClient {
     return new UserPoolClient(this, id, {
@@ -555,6 +567,10 @@ abstract class UserPoolBase extends Resource implements IUserPool {
       ...options,
     });
   }
+
+  public registerIdentityProvider(provider: IUserPoolIdentityProvider) {
+    this.identityProviders.push(provider);
+  }
 }
 
 /**

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.expected.json

@@ -84,10 +84,10 @@
           "https://example.com"
         ],
         "SupportedIdentityProviders": [
-          "COGNITO",
           {
             "Ref": "amazon2D32744A"
-          }
+          },
+          "COGNITO"
         ]
       }
     },

packages/@aws-cdk/aws-cognito/test/integ.user-pool-idp.ts

@@ -1,5 +1,5 @@
 import { App, CfnOutput, Stack } from '@aws-cdk/core';
-import { UserPool, UserPoolIdentityProvider } from '../lib';
+import { UserPool, UserPoolIdentityProviderAmazon } from '../lib';
 
 /*
  * Stack verification steps
@@ -11,15 +11,13 @@ const stack = new Stack(app, 'integ-user-pool-idp');
 
 const userpool = new UserPool(stack, 'pool');
 
-const provider = UserPoolIdentityProvider.amazon(stack, 'amazon', {
+new UserPoolIdentityProviderAmazon(stack, 'amazon', {
   userPool: userpool,
   clientId: 'amzn-client-id',
   clientSecret: 'amzn-client-secret',
 });
 
-const client = userpool.addClient('client', {
-  identityProviders: [ provider ],
-});
+const client = userpool.addClient('client');
 
 const domain = userpool.addDomain('domain', {
   cognitoDomain: {