class OAuthScope

Language	Type name
.NET	Amazon.CDK.AWS.Cognito.OAuthScope
Java	software.amazon.awscdk.services.cognito.OAuthScope
Python	aws_cdk.aws_cognito.OAuthScope
TypeScript (source)	@aws-cdk/aws-cognito » OAuthScope

OAuth scopes that are allowed with this client.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-app-idp-settings.html

Example

const pool = new cognito.UserPool(this, 'Pool');

const readOnlyScope = new cognito.ResourceServerScope({ scopeName: 'read', scopeDescription: 'Read-only access' });
const fullAccessScope = new cognito.ResourceServerScope({ scopeName: '*', scopeDescription: 'Full access' });

const userServer = pool.addResourceServer('ResourceServer', {
  identifier: 'users',
  scopes: [ readOnlyScope, fullAccessScope ],
});

const readOnlyClient = pool.addClient('read-only-client', {
  // ...
  oAuth: {
    // ...
    scopes: [ cognito.OAuthScope.resourceServer(userServer, readOnlyScope) ],
  },
});

const fullAccessClient = pool.addClient('full-access-client', {
  // ...
  oAuth: {
    // ...
    scopes: [ cognito.OAuthScope.resourceServer(userServer, fullAccessScope) ],
  },
});

Properties

Name	Type	Description
scopeName	string	The name of this scope as recognized by CloudFormation.
static COGNITO_ADMIN	OAuthScope	Grants access to Amazon Cognito User Pool API operations that require access tokens, such as UpdateUserAttributes and VerifyUserAttribute.
static EMAIL	OAuthScope	Grants access to the 'email' and 'email_verified' claims.
static OPENID	OAuthScope	Returns all user attributes in the ID token that are readable by the client.
static PHONE	OAuthScope	Grants access to the 'phone_number' and 'phone_number_verified' claims.
static PROFILE	OAuthScope	Grants access to all user attributes that are readable by the client Automatically includes access to OAuthScope.OPENID.

---

scopeName

Type: string

The name of this scope as recognized by CloudFormation.

See also: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-allowedoauthscopes

---

static COGNITO_ADMIN

Type: OAuthScope

Grants access to Amazon Cognito User Pool API operations that require access tokens, such as UpdateUserAttributes and VerifyUserAttribute.

---

static EMAIL

Type: OAuthScope

Grants access to the 'email' and 'email_verified' claims.

Automatically includes access to OAuthScope.OPENID.

---

static OPENID

Type: OAuthScope

Returns all user attributes in the ID token that are readable by the client.

---

static PHONE

Type: OAuthScope

Grants access to the 'phone_number' and 'phone_number_verified' claims.

Automatically includes access to OAuthScope.OPENID.

---

static PROFILE

Type: OAuthScope

Grants access to all user attributes that are readable by the client Automatically includes access to OAuthScope.OPENID.

Methods

Name	Description
static custom(name)	Custom scope is one that you define for your own resource server in the Resource Servers.
static resourceServer(server, scope)	Adds a custom scope that's tied to a resource server in your stack.

---

static custom(name)

public static custom(name: string): OAuthScope

Parameters

• name string

Returns

• OAuthScope

Custom scope is one that you define for your own resource server in the Resource Servers.

The format is 'resource-server-identifier/scope'.

See also: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html

---

static resourceServer(server, scope)

public static resourceServer(server: IUserPoolResourceServer, scope: ResourceServerScope): OAuthScope

Parameters

• server IUserPoolResourceServer
• scope ResourceServerScope

Returns

• OAuthScope

Adds a custom scope that's tied to a resource server in your stack.