-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathserverless-cognito.yml
157 lines (152 loc) · 5.13 KB
/
serverless-cognito.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
############################################################################################################
# This includes all Cognito resources
#
# In addition to the User Pool, there are 3 user pool clients
# * Cognito Identity Broker - This client allows user login w/username and password
# * These clients can only authenticate via the authorzation code flow process
# * Client 1 - This client's id/access tokens are valid for 2 hours
# * Client 2 - This clients id/access tokens are valid for 1 hour
#
############################################################################################################
Resources:
CognitoUserPool:
Type: 'AWS::Cognito::UserPool'
DependsOn:
- SnsRole
Properties:
AccountRecoverySetting:
RecoveryMechanisms:
- Name: verified_email
Priority: 1
- Name: verified_phone_number
Priority: 2
AutoVerifiedAttributes:
- email
EnabledMfas:
EmailConfiguration:
EmailSendingAccount: COGNITO_DEFAULT
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
InviteMessageTemplate:
EmailMessage: "Your username is {username} and temporary password is {####}"
EmailSubject: "Your temporary password"
SMSMessage: "Your username is {username} and temporary password is {####}"
MfaConfiguration: 'OFF'
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: true
TemporaryPasswordValidityDays: 7
Schema:
- Name: name
Required: false
Mutable: true
- Name: email
Required: false
Mutable: true
- Name: phone_number
Required: false
Mutable: true
SmsConfiguration:
ExternalId: ${self:custom.cognito.stsExternalId}
SnsCallerArn: !GetAtt SnsRole.Arn
SmsAuthenticationMessage: 'Your authentication code is {####}'
UsernameConfiguration:
CaseSensitive: false
UsernameAttributes:
- email
- phone_number
UserPoolAddOns:
AdvancedSecurityMode: OFF
UserPoolName: ${self:custom.cognito.userPoolName}
VerificationMessageTemplate:
DefaultEmailOption: CONFIRM_WITH_CODE
EmailMessage: "Your verification code is {####}"
EmailSubject: "Your verification code"
SmsMessage: "Your verification code is {####}"
# This is our main client for all user login (user pool & external users).
# Other clients will lack the ability to login w/username & password.
ClientBroker:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
ClientName: 'Cognito Identity Broker'
AccessTokenValidity: 1
AllowedOAuthFlowsUserPoolClient: true
AllowedOAuthFlows:
- code
AllowedOAuthScopes:
- phone
- email
- openid
- profile
- aws.cognito.signin.user.admin
CallbackURLs:
- http://localhost:3000
EnableTokenRevocation: false
ExplicitAuthFlows:
- ALLOW_ADMIN_USER_PASSWORD_AUTH
- ALLOW_REFRESH_TOKEN_AUTH
- ALLOW_USER_SRP_AUTH
GenerateSecret: false
IdTokenValidity: 1
LogoutURLs:
- http://localhost:3000/logout
PreventUserExistenceErrors: ENABLED
RefreshTokenValidity: ${self:custom.cognito.refreshTokenExpirationInDays}
SupportedIdentityProviders:
- COGNITO
TokenValidityUnits:
AccessToken: hours
IdToken: hours
RefreshToken: days
UserPoolId: !Ref CognitoUserPool
ClientOne:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
ClientName: 'Client 1'
AccessTokenValidity: 2
AllowedOAuthFlowsUserPoolClient: false
AllowedOAuthFlows: [ ]
AllowedOAuthScopes: [ ]
CallbackURLs:
- http://localhost:3001
ExplicitAuthFlows: ${self:custom.cognito.clientExplicitAuthFlows}
GenerateSecret: false
IdTokenValidity: 2
PreventUserExistenceErrors: ENABLED
RefreshTokenValidity: ${self:custom.cognito.refreshTokenExpirationInDays}
SupportedIdentityProviders: []
TokenValidityUnits:
AccessToken: hours
IdToken: hours
RefreshToken: days
UserPoolId: !Ref CognitoUserPool
ClientTwo:
Type: 'AWS::Cognito::UserPoolClient'
Properties:
ClientName: 'Client 2'
AccessTokenValidity: 1
AllowedOAuthFlowsUserPoolClient: false
AllowedOAuthFlows: [ ]
AllowedOAuthScopes: [ ]
CallbackURLs:
- http://localhost:3002
ExplicitAuthFlows: ${self:custom.cognito.clientExplicitAuthFlows}
GenerateSecret: false
IdTokenValidity: 1
PreventUserExistenceErrors: ENABLED
RefreshTokenValidity: ${self:custom.cognito.refreshTokenExpirationInDays}
SupportedIdentityProviders: []
TokenValidityUnits:
AccessToken: hours
IdToken: hours
RefreshToken: days
UserPoolId: !Ref CognitoUserPool
Outputs:
UserPoolId:
Value: !Ref CognitoUserPool
UserPoolName:
Value: ${self:custom.cognito.userPoolName}