-
Notifications
You must be signed in to change notification settings - Fork 12
/
Copy pathcognito.yaml
129 lines (111 loc) · 3.23 KB
/
cognito.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
AWSTemplateFormatVersion: '2010-09-09'
Description: >
Panda example Cognito user pool. The following are required fields for users:
- email (used as the "identity" of the user, there are no separate usernames
- name
- given_name
- family_name
The following fields are optional:
- profile
- picture
- locale
Parameters:
Name:
Type: String
Description: The name of the user pool
RefreshTokenValidity:
Type: Number
Description: The time limit, in days, after which the refresh token is no longer valid.
CookieName:
Type: String
Description: The name of the cookie that will be shared across all Panda-enabled applications
DomainName:
Type: String
Description: The name of the domain on which the cookie will be placed
CognitoDomainPrefix:
Type: String
Description: The domain prefix used for hosting the Cognito login UI (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html)
OAuthCallbacks:
Type: String
Description: Comma-separated list of OAuth callback URLS - one for each application issuing logins
Resources:
UserPool:
Type: AWS::Cognito::UserPool
Properties:
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
AutoVerifiedAttributes:
- email
UsernameAttributes:
- email
UserPoolName: !Ref Name
# https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
Schema:
- Name: name
AttributeDataType: String
Mutable: true
Required: true
- Name: given_name
AttributeDataType: String
Mutable: true
Required: true
- Name: family_name
AttributeDataType: String
Mutable: true
Required: true
# optional
- Name: profile
AttributeDataType: String
Mutable: true
Required: false
- Name: picture
AttributeDataType: String
Mutable: true
Required: false
- Name: locale
AttributeDataType: String
Mutable: true
Required: false
UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
UserPoolId: !Ref UserPool
Domain: !Ref CognitoDomainPrefix
UserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
AllowedOAuthFlows:
- code
AllowedOAuthFlowsUserPoolClient: true
AllowedOAuthScopes:
- email
- openid
- profile
CallbackURLs: !Split [',', !Ref OAuthCallbacks]
ExplicitAuthFlows:
- USER_PASSWORD_AUTH
GenerateSecret: true
RefreshTokenValidity: !Ref RefreshTokenValidity
UserPoolId: !Ref UserPool
SupportedIdentityProviders:
- COGNITO
SettingsBucket:
Type: AWS::S3::Bucket
Properties:
BucketEncryption:
ServerSideEncryptionConfiguration:
- ServerSideEncryptionByDefault:
SSEAlgorithm: aws:kms
Outputs:
UserPoolId:
Value: !Ref UserPool
UserPoolClientId:
Value: !Ref UserPoolClient
SettingsBucket:
Value: !Ref SettingsBucket
CookieName:
Value: !Ref CookieName
PublicSettingsFile:
Value: !Sub ${DomainName}.settings.public
PrivateSettingsFile:
Value: !Sub ${DomainName}.settings