diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts index 2b785db4ce4e2..ac67257b6a315 100644 --- a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts +++ b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts @@ -30,12 +30,6 @@ export interface AuthFlow { * @default false */ readonly userSrp?: boolean; - - /** - * Enable authflow to refresh tokens - * @default false - */ - readonly refreshToken?: boolean; } /** @@ -343,12 +337,18 @@ export class UserPoolClient extends Resource implements IUserPoolClient { } private configureAuthFlows(props: UserPoolClientProps): string[] | undefined { + if (!props.authFlows) return undefined; + const authFlows: string[] = []; - if (props.authFlows?.userPassword) { authFlows.push('ALLOW_USER_PASSWORD_AUTH'); } - if (props.authFlows?.adminUserPassword) { authFlows.push('ALLOW_ADMIN_USER_PASSWORD_AUTH'); } - if (props.authFlows?.custom) { authFlows.push('ALLOW_CUSTOM_AUTH'); } - if (props.authFlows?.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); } - if (props.authFlows?.refreshToken) { authFlows.push('ALLOW_REFRESH_TOKEN_AUTH'); } + if (props.authFlows.userPassword) { authFlows.push('ALLOW_USER_PASSWORD_AUTH'); } + if (props.authFlows.adminUserPassword) { authFlows.push('ALLOW_ADMIN_USER_PASSWORD_AUTH'); } + if (props.authFlows.custom) { authFlows.push('ALLOW_CUSTOM_AUTH'); } + if (props.authFlows.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); } + + // refreshToken should always be allowed if authFlows are present + if (authFlows.length > 0) { + authFlows.push('ALLOW_REFRESH_TOKEN_AUTH'); + } if (authFlows.length === 0) { return undefined; diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.ts b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.ts index 06fbe5b373c81..dbad2591fc1bc 100644 --- a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.ts +++ b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.ts @@ -11,7 +11,6 @@ userpool.addClient('myuserpoolclient', { authFlows: { adminUserPassword: true, custom: true, - refreshToken: true, userPassword: true, userSrp: true, }, diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts index 10e4dc2711f31..081d9d9e6526b 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-client.test.ts @@ -78,7 +78,6 @@ describe('User Pool Client', () => { authFlows: { adminUserPassword: true, custom: true, - refreshToken: true, userPassword: true, userSrp: true, }, @@ -95,6 +94,26 @@ describe('User Pool Client', () => { }); }); + test('ExplicitAuthFlows makes refreshToken true by default', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + + // WHEN + pool.addClient('Client', { + authFlows: { + userSrp: true, + }, + }); + + expect(stack).toHaveResourceLike('AWS::Cognito::UserPoolClient', { + ExplicitAuthFlows: [ + 'ALLOW_USER_SRP_AUTH', + 'ALLOW_REFRESH_TOKEN_AUTH', + ], + }); + }); + test('AllowedOAuthFlows are correctly named', () => { // GIVEN const stack = new Stack(); diff --git a/packages/@aws-cdk/aws-elasticloadbalancingv2-actions/test/integ.cognito.lit.ts b/packages/@aws-cdk/aws-elasticloadbalancingv2-actions/test/integ.cognito.lit.ts index f9ab2c015b382..c68562ee6ffcb 100644 --- a/packages/@aws-cdk/aws-elasticloadbalancingv2-actions/test/integ.cognito.lit.ts +++ b/packages/@aws-cdk/aws-elasticloadbalancingv2-actions/test/integ.cognito.lit.ts @@ -32,7 +32,6 @@ class CognitoStack extends Stack { generateSecret: true, authFlows: { userPassword: true, - refreshToken: true, }, oAuth: { flows: {