Table of Contents

Class OAuthScope

Namespace
Amazon.CDK.AWS.Cognito
Assembly
Amazon.CDK.AWS.Cognito.dll

OAuth scopes that are allowed with this client.

public class OAuthScope : DeputyBase
Inheritance
OAuthScope

Examples

var pool = new UserPool(this, "Pool");

             var readOnlyScope = new ResourceServerScope(new ResourceServerScopeProps { ScopeName = "read", ScopeDescription = "Read-only access" });
             var fullAccessScope = new ResourceServerScope(new ResourceServerScopeProps { ScopeName = "*", ScopeDescription = "Full access" });

             var userServer = pool.AddResourceServer("ResourceServer", new UserPoolResourceServerOptions {
                 Identifier = "users",
                 Scopes = new [] { readOnlyScope, fullAccessScope }
             });

             var readOnlyClient = pool.AddClient("read-only-client", new UserPoolClientOptions {
                 // ...
                 OAuth = new OAuthSettings {
                     // ...
                     Scopes = new [] { OAuthScope.ResourceServer(userServer, readOnlyScope) }
                 }
             });

             var fullAccessClient = pool.AddClient("full-access-client", new UserPoolClientOptions {
                 // ...
                 OAuth = new OAuthSettings {
                     // ...
                     Scopes = new [] { OAuthScope.ResourceServer(userServer, fullAccessScope) }
                 }
             });

Remarks

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

ExampleMetadata: infused

Properties

COGNITO_ADMIN

Grants access to Amazon Cognito User Pool API operations that require access tokens, such as UpdateUserAttributes and VerifyUserAttribute.

public static OAuthScope COGNITO_ADMIN { get; }

Property Value

OAuthScope

EMAIL

Grants access to the 'email' and 'email_verified' claims.

public static OAuthScope EMAIL { get; }

Property Value

OAuthScope

Remarks

Automatically includes access to OAuthScope.OPENID.

OPENID

Returns all user attributes in the ID token that are readable by the client.

public static OAuthScope OPENID { get; }

Property Value

OAuthScope

PHONE

Grants access to the 'phone_number' and 'phone_number_verified' claims.

public static OAuthScope PHONE { get; }

Property Value

OAuthScope

Remarks

Automatically includes access to OAuthScope.OPENID.

PROFILE

Grants access to all user attributes that are readable by the client Automatically includes access to OAuthScope.OPENID.

public static OAuthScope PROFILE { get; }

Property Value

OAuthScope

ScopeName

The name of this scope as recognized by CloudFormation.

public virtual string ScopeName { get; }

Property Value

string

Remarks

See: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes

Methods

Custom(string)

Custom scope is one that you define for your own resource server in the Resource Servers.

public static OAuthScope Custom(string name)

Parameters

name string

Returns

OAuthScope

Remarks

The format is 'resource-server-identifier/scope'.

See: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html

ResourceServer(IUserPoolResourceServer, ResourceServerScope)

Adds a custom scope that's tied to a resource server in your stack.

public static OAuthScope ResourceServer(IUserPoolResourceServer server, ResourceServerScope scope)

Parameters

server IUserPoolResourceServer
scope ResourceServerScope

Returns

OAuthScope