feat(cognito): allow to set read and write attributes in Cognito UserPoolClient

[tom139]

Commit Message

feat(cognito): allow to set read and write attributes in Cognito UserPoolClient

Add ability to specify which attributes each App Client can read or write.

closes #7407

End Commit Message

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[nija-at]

Thanks for submitting this PR.

I have some comments on this below.

Pull request has been modified.

[nija-at]

Please address existing comments.

[arnulfojr]

any updates?

[gitpod-io]

Pull request has been modified.

[tom139]

Sorry for making you wait so long. 🙏🏽

I started from scratch with the approach suggested by @nija-at inspired by AccessLogFormat. The main change is the addition of the AttributeSet class that represent a set of attributes (both standard and custom).

Naming of the methods may be misleading, but I couldn't think anything better and am open to suggestion.

Usage is:

const pool = new cognito.UserPool(this, 'Pool');
pool.addClient('app-client', {
  // ...
  readAttributes: AttributeSet.allStandard(['custom:my_attribute_1', 'custom:my_attribute_2']),
  writeAttributes: AttributeSet.from({name: true, locale: true}, ['custom:my_attribute_1']),
});

[nija-at]

Hey @tom139 -

I'm going to be on vacation for the next couple of weeks for the holidays. I'll take a look at this once I'm back.
Happy holidays!

[tom139]

Have a nice time and stay safe! :)

[nija-at]

Thanks for updating this PR. Some questions, comments and suggestions below.

[nija-at]

Curious: why are preferred_email and preferred_number_number special?
They don't feature as standard attributes in the cognito docs. why are they considered as standard?

[tom139]

My bad. It is not preferred_email and preferred_phone_number to be special, it is email_verified and phone_number_verified.

These are special because are not directly mentioned in the list at the linked page but are present in the cited OpenID Connect Specification and are in fact present among the other standard attributes.

These two attributes are the missing ones from the cited StandardAttributes interface.

[nija-at]

are in fact present among the other standard attributes

What do you mean by this? Were you able to confirm that they are actually supported by Cognito, but just missing in the documentation?

If that's the case, we should just add these to StandardAttributes.

[tom139]

I have conducted some tests and I confirm Configuring User Pool is missing two attributes: email_verified and phone_number_verified.

Even though it states:

You get a set of default attributes, called "standard attributes," with all user pools. You can also add custom attributes to your user pool definition in the AWS Management Console. This topic describes those attributes in detail and gives you tips on how to set up your user pool.

and does not list them under standard attributes, the following call:

❯ aws cognito-idp create-user-pool --cli-input-json file://userpool.json
❯ cat userpool.json 
{
    "PoolName": "test",
    "Policies": {
        "PasswordPolicy": {
            "MinimumLength": 10,
            "RequireUppercase": true,
            "RequireLowercase": true,
            "RequireNumbers": true,
            "RequireSymbols": true,
            "TemporaryPasswordValidityDays": 10
        }
    },
    "AutoVerifiedAttributes": [
        "email"
    ],
    "UsernameAttributes": [
        "email"
    ],
    "Schema": [
        {
            "Name": "email",
            "AttributeDataType": "String",
            "Mutable": true,
            "Required": true,
            "StringAttributeConstraints": {
                "MinLength": "5",
                "MaxLength": "2048"
            }
        },
        {
            "Name": "email_verified",
            "AttributeDataType": "Boolean",
            "Mutable": true,
            "Required": true
        }
    ],
    "UsernameConfiguration": {
        "CaseSensitive": true
    }
}

works as expected, setting both email and email_verified as required and mutable attributes.

The UI Console has the same problem as it does not show (phone_number|email)_verified in the attribute list:

I filed feedbacks for the documentation and the web ui pages.

That said, I will add those 2 attributes to the StandardAttributes interface, so StandardAttributes and StandardAttributesMask will have the same properties.

Pull request has been modified.

[tom139]

I think I addressed everything except setting up a test for detecting drifts between StandardAttributes and StandardAttributesMask.

[nija-at]

Looks closer. A few more comments. Hopefully the last round of review before merging 😊

[nija-at]

Do we still need the ClientAttributes.empty() method? Customers can just use the constructor new ClientAttributes(), no?

[tom139]

Much nicer 👍🏽 I did the refactor.

[nija-at]

Slight tweaks to the documentation.

Suggested change

	The default behaviour is to allow read and write permissions on all attributes.
	```ts
	const pool = new cognito.UserPool(this, 'Pool');
	// create a set of attributes that the client will be allowed to set
	const clientWriteAttributes = ClientAttributes.empty()
	.withStandardAttributes({name: true, email: true})
	.withCustomAttributes(['favouritePizza']);
	// read attributes are usually more than the writable ones
	const clientReadAttributes = clientWriteAttributes
	.withStandardAttributes({emailVerified: true})
	.withCustomAttributes(['pointsEarned']);
	pool.addClient('app-client', {
	// ...
	readAttributes: clientReadAttributes,
	writeAttributes: clientWriteAttributes,
	});
	```
	The default behaviour is to allow read and write permissions on all attributes. The following code shows how this can be configured for a client.
	```ts
	const pool = new cognito.UserPool(this, 'Pool');
	const clientWriteAttributes = ClientAttributes.empty()
	.withStandardAttributes({name: true, email: true})
	.withCustomAttributes(['favouritePizza']);
	const clientReadAttributes = clientWriteAttributes
	.withStandardAttributes({emailVerified: true})
	.withCustomAttributes(['pointsEarned']);
	pool.addClient('app-client', {
	// ...
	readAttributes: clientReadAttributes,
	writeAttributes: clientWriteAttributes,
	});
	```

Pull request has been modified.

[tom139]

Thank you for the time spent reviewing this!

Just a question more: am I supposed to hit "Resolve Conversation" when I think I addressed the issue, or should I let you do it?

[tom139]

Much nicer 👍🏽 I did the refactor.

[nija-at]

am I supposed to hit "Resolve Conversation" when I think I addressed the issue

Clicking 'resolve conversation' is fine once you've addressed it 😊

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[aws-cdk-automation]

AWS CodeBuild CI Report

• CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
• Commit ID: 49f6eea
• Result: SUCCEEDED
• Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

[mergify]

Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[russelldavis]

@tom139 @nija-at this is great, thank you! One question: why does withStandardAttributes take in an object like {name: true, email: true}, instead of a simple list like ["name", "email"]? It's also inconsistent with withCustomAttributes, which takes in a list of names.

[russelldavis]

Also, regarding #7607 (comment), I'd like to express interest in the additional static method you discussed, which would prepopulate all of the standard attributes.

A common use case (I think) is to allow write access to everything except for a small number of custom attributes. To do this now, I'll have to manually list all of the standard attributes, and keep my manual list up to date if those ever change.

Thanks again.

[russelldavis]

To follow up on that last comment, here's the code I ended up writing:

const standardWriteAttributes = new ClientAttributes().withStandardAttributes({
  address: true,
  birthdate: true,
  email: true,
  familyName: true,
  gender: true,
  givenName: true,
  locale: true,
  middleName: true,
  fullname: true,
  nickname: true,
  phoneNumber: true,
  profilePicture: true,
  preferredUsername: true,
  profilePage: true,
  timezone: true,
  lastUpdateTime: true,
  website: true,
});

const standardReadAttributes = standardWriteAttributes.withStandardAttributes({
  emailVerified: true,
  phoneNumberVerified: true,
});

new UserPoolClient(this, "UserPoolClient", {
  // Allow everything except for writing custom attributes.
  readAttributes: standardReadAttributes.withCustomAttributes(...Object.keys(customAttributes)),
  writeAttributes: standardWriteAttributes,
});

Would be great if those lists were exposed, perhaps via withAllStandardReadAttributes() and withAllStandardWriteAttributes() functions.

Note that they need to be separate lists, because emailVerified and phoneNumberVerified cannot be set as writable. I learned this the hard way when cdk deploy gave me an error of "Invalid write attributes specified" without telling me which ones were invalid (another reason having these predefined would be helpful.)

[tom139]

Hi, thank you for your feedback! I totally agree with you. What do you think should be the best way to implement this?

Having two all attributes methods

as you suggested: one for Writing and one for Reading attributes.
.withAllStandardReadAttributes() for all attributes,
.withAllStandardWriteAttributes() for all attributes except *Verified.

Usage:

const readAttr = (new ClientAttributes()).withAllStandardReadAttributes();
const writeAttr = (new ClientAttributes()).withAllStandardWriteAttributes();

Having only one method

withAllStandardAttributes() that adds all standard attributes and adding a check for removing *Verified attribute at UserPoolClient creation time

Usage:

const readAttr = (new ClientAttributes()).withAllStandardAttributes();
const writeAttr = (new ClientAttributes()).withAllStandardAttributes();

---

I think the latter would be is easier to use, what do you think?

[tom139]

Sorry, I forgot to write about different design choices for withCustomAttributes() vs _withStandardAttributes()`.

Having an interface for the standard attributes allow the user to easily find the available values through code completion; and in my opinion it is more valuable than consistency among with*Attributes() methods.

[russelldavis]

What do you think should be the best way to implement this?

I like the idea of having as few methods as possible, but in this case I think keeping them separate is best. Automatically removing the *Verified attributes could cause some confusion — a developer would reasonably assume those attributes are writable if they put them in writeAttributes and everything succeeds, but they'd be wrong. "Explicit is better than implicit."

[russelldavis]

I'm with you about the value of code completion. Fortunately there's a way to have that without sacrificing consistency. For example:

type StandardAttribute = "name" | "email";
function withStandardAttributes(...attributes: StandardAttribute[]);

When you type withStandardAttributes(" in VSCode, it will give you code completion, and show an error if you type a value not in the list.

[tom139]

Yeah, it is very cool! Unfortunately we must ensure that JSII can synthesise this information in other languages too… I don't think this will work outside of Typescript. 😔

@nija-at could you help us on that?