Skip to content

Commit

Permalink
Add missing cognito oauth scope (#7450)
Browse files Browse the repository at this point in the history
For some reason, the hosted UI for both email and password and SSO, as well as the `Auth.federatedSignIn({provider: 'Google'})` call require the `aws.cognito.signin.user.admin` scope to be enabled to fetch and update user attributed. However, a call to `Auth.signIn(email, password)` does not. This is not well documented in AWS Cognito.

# Important Notes
`aws.cognito.signin.user.admin` gives you access to all Cognito User Pool APIs. Which federatedSignIn with google provider uses to get `currentUserInfo()` where we store optional `organizationId`. It does not provide any admin level access to other cognito or AWS parts.
  • Loading branch information
PabloBuchu authored Aug 1, 2023
1 parent 7441a9a commit 74551b3
Showing 1 changed file with 5 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,11 @@ export type RegisterOpenAuthenticationUrlCallbackFn = () => void
/** AWS region in which our Cognito pool is located. */
export const AWS_REGION = AwsRegion('eu-west-1')
/** Complete list of OAuth scopes used by the app. */
export const OAUTH_SCOPES = [OAuthScope('email'), OAuthScope('openid')]
export const OAUTH_SCOPES = [
OAuthScope('email'),
OAuthScope('openid'),
OAuthScope('aws.cognito.signin.user.admin'),
]
/** OAuth response type used in the OAuth flows. */
export const OAUTH_RESPONSE_TYPE = OAuthResponseType('code')

Expand Down

0 comments on commit 74551b3

Please sign in to comment.