Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cognito UserPools lacking setters for attributes present in Web Console #7245

Closed
2 tasks
brainstorm opened this issue Apr 8, 2020 · 3 comments
Closed
2 tasks

Cognito UserPools lacking setters for attributes present in Web Console #7245

brainstorm opened this issue Apr 8, 2020 · 3 comments
Assignees
@nija-at
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito closing-soon This issue will automatically close in 4 days unless further comments are made. feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.

Comments

@brainstorm
Copy link

brainstorm commented Apr 8, 2020
edited
Loading

I would like to have access to all attributes presented on the AWS Web Console after creating a regular Cognito UserPool/IdentityPool.

Use Case

I would like to provide an easily deployable authentication backend for the Bioinformatics app "Integrative Genomics Viewer", both the Java and Javascript versions of it, on AWS:

https://github.com/umccr/igv/commits/aws_cdk_deploy

I need this feature to be able to allow third party biological laboratories to deploy this AWS stack easily on their own sensitive data repositories on S3. For more context see:

https://umccr.org/blog/igv-amazon-backend-setup/

Proposed Solution

Here are the attributes I would need to have access to in order to have the Cognito backend properly setup, as seen on the UserPools AWS Web Console:

        // General settings -> MFA and verifications:
        //                                          -> "How will a user be able to recover their account?": "None – users will have to contact an administrator to reset their passwords". CFN==MfaConfiguration?, CDK==NotFound
        //                                          -> Set MFA and verification option to: "None – users will have to contact an administrator to reset their passwords". CFN=="AutoVerifiedAttributes?", CDK==NotFound
        //                  -> Advanced Security:
        //                                          -> "Do you want to enable advanced security features for this user pool?": "Audit Only". CFN=="UserPoolAddOns", CDK==NotFound?
        //                  -> Devices:
        //                                          -> "Do you want to remember your user's devices?": Always. CFN==NotFound, CDK==NotFound
        // App Integration -> App client settings:
        //                                          -> "Enabled Identity Providers": "Google" checkbox. CFN==NotFound, CDK==NotFound
        //                                          -> "Allowed OAuth Flows": "Authorization code grant" checkbox. CFN==NotFound, CDK==NotFound
        //                                          -> "Allowed OAuth scopes": "email" and "profile" checkboxes. CFN==NotFound, CDK==NotFound
        //                                          -> "Prevent User Existence Errors": Enabled. CFN==NotFound, CDK==NotFound

As indicated on CFN== and CDK== tags, I've not been able to find a straightforward way to set those specific attributes programmatically (by both checking official docs and CDK/JSII code classes). For instance, I noticed that some mfa functionality has been introduced between CDK 1.26 and 1.31, but there are still no methods to modify the aforementioned attributes, even when they are clearly present as private/protected attributes on CfnUserPoolProps.

See the following code for more context and current progress:

https://github.com/umccr/igv/blob/aws_cdk_deploy/src/main/java/org/umccr/awscdk/IGVAmazonCognitoStack.java

Other

/cc @reisingerf @victorskl

Adding a reference to this issue to #6765 as it is being worked on.

  • 👋 I may be able to implement this feature request
  • ⚠️ This feature might incur a breaking change

This is a 🚀 Feature Request
@brainstorm brainstorm added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Apr 8, 2020
@brainstorm brainstorm mentioned this issue Apr 8, 2020
Closed
@brainstorm brainstorm changed the title Cognito UserPools lacking setters for attributes present in Web Console or Cloudformation Cognito UserPools lacking setters for attributes present in Web Console Apr 8, 2020
@SomayaB SomayaB added the @aws-cdk/aws-cognito Related to Amazon Cognito label Apr 9, 2020
@nija-at
Copy link
Contributor

nija-at commented Apr 16, 2020

Thanks for filing this. Responses below -

"How will a user be able to recover their account?": "None – users will have to contact an administrator to reset their passwords". CFN==MfaConfiguration?, CDK==NotFound
Set MFA and verification option to: "None – users will have to contact an administrator to reset their passwords". CFN=="AutoVerifiedAttributes?", CDK==NotFound

MFA options are available in the CDK here - https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cognito-readme.html#multi-factor-authentication-mfa

"Do you want to enable advanced security features for this user pool?": "Audit Only". CFN=="UserPoolAddOns", CDK==NotFound?

This does not exist in the CDK. Please open a separate feature request for this.

"Do you want to remember your user's devices?": Always. CFN==NotFound, CDK==NotFound

Unfortunately, if a feature is not supported in CloudFormation, it cannot be incorporated into the CDK. Please follow the guidelines here - https://github.com/aws-cloudformation/aws-cloudformation-coverage-roadmap/ - and open a request for CloudFormation to support this.

"Enabled Identity Providers": "Google" checkbox. CFN==NotFound, CDK==NotFound

We have a feature request open for this already - #6853

"Allowed OAuth Flows": "Authorization code grant" checkbox. CFN==NotFound, CDK==NotFound
"Allowed OAuth scopes": "email" and "profile" checkboxes. CFN==NotFound, CDK==NotFound

All OAuth flows and scopes can be found here - https://docs.aws.amazon.com/cdk/api/latest/docs/aws-cognito-readme.html#app-clients

"Prevent User Existence Errors": Enabled. CFN==NotFound, CDK==NotFound

This exists in CloudFormation here, however, it has not been implemented in the CDK. If you would like this, please open a separate feature request for this.

@nija-at nija-at added the closing-soon This issue will automatically close in 4 days unless further comments are made. label Apr 16, 2020
@brainstorm
Copy link
Author

brainstorm commented Apr 17, 2020
edited
Loading

Thanks a ton @nija-at for this super useful breakdown and feedback, I'll file those issues separatedly soon ;)

/cc @reisingerf @victorskl

This was referenced Apr 17, 2020
Closed
Closed
Closed
brainstorm added a commit to umccr/igv that referenced this issue Apr 17, 2020
@brainstorm
Bumping to version 1.32.2 since AWS fixed a few methods referred at i…
04b8f3c 
…ssue aws/aws-cdk#7245. A few gaps left to cover to make this deployment stack usable though. Looks like it might take a bit longer to have a fully deployable and secure Cognito setup with Cloudformation/CDK
@brainstorm brainstorm mentioned this issue Apr 29, 2020
Open
@AXSJ
Copy link

AXSJ commented Sep 27, 2021

image

Adding the above to your cloud formation will turn on always remember user devices. Just tested it myself

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nija-at nija-at

Labels
@aws-cdk/aws-cognito Related to Amazon Cognito closing-soon This issue will automatically close in 4 days unless further comments are made. feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brainstorm @nija-at @SomayaB @AXSJ