Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cognito: UserPool.identityProviders is empty #31252

Closed
1 task
jburn7 opened this issue Aug 29, 2024 · 5 comments
Closed
1 task

aws-cognito: UserPool.identityProviders is empty #31252

jburn7 opened this issue Aug 29, 2024 · 5 comments
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. p3

Comments

@jburn7
Copy link

jburn7 commented Aug 29, 2024
edited
Loading

Describe the bug

When a modification is made to the UserPoolClient, its associated identity providers are reset to just the Cognito identity provider. According to (https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_cognito.UserPoolClientIdentityProvider.html), that is is supposed to be mitigated by providing supportedIdentityProviders to the UserPoolClient.

I'm having trouble fetching the existing identity providers in the user pool to pass into supportedIdentityProviders

const userPool = new UserPool(scope, poolName, {
  userPoolName: poolName,
  ...
}

const identityProviders = userPool.identityProviders.map((identityProvider) =>
  UserPoolClientIdentityProvider.custom(identityProvider.providerName)
);

const userPoolClient = new UserPoolClient(scope, clientName, {
  userPool,
  ...,
  supportedIdentityProviders: [
    UserPoolClientIdentityProvider.COGNITO,
    ...identityProviders
  ]
});

Deploying that results in the user pool client's identity providers being reset to just Cognito, which as far as I can tell would imply that UserPool.identityProviders is always empty, because if I were to specify the name of an identity provider instead of fetching it from the user pool like so:

const userPoolClient = new UserPoolClient(scope, clientName, {
  userPool,
  ...,
  supportedIdentityProviders: [
    UserPoolClientIdentityProvider.COGNITO,
    UserPoolClientIdentityProvider.custom('KnownProviderName')
  ]
});

Then that custom provider is kept on the user pool client after a deployment. So the issue is with fetching the existing ones from the user pool

Therefore, I'd ask two things:

  1. Is it a known bug that UserPool.identityProviders doesn't return the list of identity providers on that user pool
  2. Is there a way to prevent user pool client identity provider associations from being wiped after a deployment in the first place? Omitting supportedIdentityProviders from the construct produces the same result, where the identity providers are reset to Cognito

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

UserPool.identityProviders returns the full list of identity providers as seen in the "Federated identity provider sign-in" box of the "Sign-in Experience" tab of a user pool in the AWS console

Current Behavior

UserPool.identityProviders returns an empty list

Reproduction Steps

const userPool = new UserPool(scope, poolName, {
  userPoolName: poolName,
  autoVerify: { email: true },
  signInAliases: { email: true },
  selfSignUpEnabled: false,
  signInCaseSensitive: false,
  mfa: Mfa.OFF, 
  accountRecovery: AccountRecovery.EMAIL_ONLY,
});

const readAttributes = new ClientAttributes().withStandardAttributes({
  givenName: true,
  familyName: true,
  email: true,
  emailVerified: true,
  address: true,
  birthdate: true,
  gender: true,
  locale: true,
  middleName: true,
  fullname: true,
  nickname: true,
  phoneNumber: true,
  profilePicture: true,
  preferredUsername: true,
  profilePage: true,
  timezone: true,
  lastUpdateTime: true,
  website: true,
  phoneNumberVerified: true
});

const writeAttributes = new ClientAttributes().withStandardAttributes({
  givenName: true,
  familyName: true,
  email: true,
  emailVerified: false,
  address: true,
  birthdate: true,
  gender: true,
  locale: true,
  middleName: true,
  fullname: true,
  nickname: true,
  phoneNumber: true,
  profilePicture: true,
  preferredUsername: true,
  profilePage: true,
  timezone: true,
  lastUpdateTime: true,
  website: true,
  phoneNumberVerified: false
});

const identityProviders = userPool.identityProviders.map((identityProvider) =>
  UserPoolClientIdentityProvider.custom(identityProvider.providerName)
);

const callbackUrls = [`${appUrl}/sign-in/sso`];
const logoutUrls = [`${appUrl}`];
const userPoolClient = new UserPoolClient(scope, idTag('frontend-client'), {
  userPool,
  authFlows: {
    userPassword: true,
    adminUserPassword: true,
    custom: true,
    userSrp: true
  },
  oAuth: { callbackUrls, logoutUrls },
  writeAttributes: writeAttributes,
  readAttributes: readAttributes,
  generateSecret: false,
  supportedIdentityProviders: [
    UserPoolClientIdentityProvider.COGNITO,
    ...identityProviders
  ]
});

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.138.0

Framework Version

No response

Node.js Version

20

OS

Alpine Linux

Language

TypeScript

Language Version

No response

Other information

No response
@jburn7 jburn7 added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 29, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cognito Related to Amazon Cognito label Aug 29, 2024
@ashishdhingra
Copy link
Contributor

@jburn7 Good afternoon. For your scenario, were these identity providers added outside the CDK code? If yes, then CDK doesn't know about it. CDK represents a CloudFormation resource with set of attributes. When you run cdk synth, it would synthesize the CDK code to a template. In most cases where context lookup is not used, it would not refresh the properties of existing CFN resource if these were added outside of the CDK. In other words, it would not make an AWS SDK API call to retrieve the resource.

As a workaround, you may try using customer resource provider that makes AWS Cognito Service API call to retrieve list of identity providers. In the successful custom resource call, you could use that list in your code. In case of failure, we could just ignore and proceed with the default.

Thanks,
Ashish

@ashishdhingra ashishdhingra added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p3 and removed needs-triage This issue or PR still needs to be triaged. labels Aug 29, 2024
@pahud
Copy link
Contributor

pahud commented Aug 30, 2024
edited
Loading

According to this:

aws-cdk/packages/aws-cdk-lib/aws-cognito/lib/user-pool.ts

Lines 831 to 833 in 574d383

public registerIdentityProvider(provider: IUserPoolIdentityProvider) {
this.identityProviders.push(provider);
}

userPool.identityProviders is an array which will only be populated when you explicitly registerIdentityProvider(). It would be empty if you don't explicitly run this method.

With that said, you need to define IUserPoolIdentityProvider and register to the UserPool with registerIdentityProvider() explicitly.

Check description here for more details:

aws-cdk/packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts

Lines 279 to 286 in 574d383

/**
* The list of identity providers that users should be able to use to sign in using this client.
*
* @default - supports all identity providers that are registered with the user pool. If the user pool and/or
* identity providers are imported, either specify this option explicitly or ensure that the identity providers are
* registered with the user pool using the `UserPool.registerIdentityProvider()` API.
*/
readonly supportedIdentityProviders?: UserPoolClientIdentityProvider[];

@github-actions github-actions bot removed the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label Aug 30, 2024
This was referenced Sep 1, 2024
Open
Open
@jburn7
Copy link
Author

jburn7 commented Sep 12, 2024

@ashishdhingra @pahud I was able to solve this using a combination of both of your answers, thank you

@ashishdhingra
Copy link
Contributor

@ashishdhingra @pahud I was able to solve this using a combination of both of your answers, thank you

@jburn7 Glad the guidance worked for you.

@ashishdhingra ashishdhingra closed this as not planned Won't fix, can't repro, duplicate, stale Sep 12, 2024
@github-actions GitHub Actions
Copy link

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-cognito Related to Amazon Cognito bug This issue is a bug. p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @jburn7 @ashishdhingra