aws · mergify · Dec 20, 2022 · Nov 22, 2022 · Nov 22, 2022 · Nov 22, 2022
diff --git a/packages/@aws-cdk/aws-cognito/README.md b/packages/@aws-cdk/aws-cognito/README.md
@@ -37,23 +37,26 @@ This module is part of the [AWS Cloud Development Kit](https://github.com/aws/aw
 
 ## Table of Contents
 
-- [User Pools](#user-pools)
-  - [Sign Up](#sign-up)
-  - [Sign In](#sign-in)
-  - [Attributes](#attributes)
-  - [Security](#security)
-    - [Multi-factor Authentication](#multi-factor-authentication-mfa)
-    - [Account Recovery Settings](#account-recovery-settings)
-  - [Emails](#emails)
-  - [Device Tracking](#device-tracking)
-  - [Lambda Triggers](#lambda-triggers)
-    - [Trigger Permissions](#trigger-permissions)
-  - [Import](#importing-user-pools)
-  - [Identity Providers](#identity-providers)
-  - [App Clients](#app-clients)
-  - [Resource Servers](#resource-servers)
-  - [Domains](#domains)
-  - [Deletion protection](#deletion-protection)
+- [Amazon Cognito Construct Library](#amazon-cognito-construct-library)
+  - [Table of Contents](#table-of-contents)
+  - [User Pools](#user-pools)
+    - [Sign Up](#sign-up)
+    - [Sign In](#sign-in)
+    - [Attributes](#attributes)
+    - [Attribute verification](#attribute-verification)
+    - [Security](#security)
+      - [Multi-factor Authentication (MFA)](#multi-factor-authentication-mfa)
+      - [Account Recovery Settings](#account-recovery-settings)
+    - [Emails](#emails)
+    - [Device Tracking](#device-tracking)
+    - [Lambda Triggers](#lambda-triggers)
+      - [Trigger Permissions](#trigger-permissions)
+    - [Importing User Pools](#importing-user-pools)
+    - [Identity Providers](#identity-providers)
+    - [App Clients](#app-clients)
+    - [Resource Servers](#resource-servers)
+    - [Domains](#domains)
+    - [Deletion protection](#deletion-protection)
 
 ## User Pools
 
@@ -698,6 +701,17 @@ const client = pool.addClient('app-client', {
 client.node.addDependency(provider);
 ```
 
+The property `authSessionValidity` is the session token for each API request in the authentication flow.
+Valid duration is from 3 to 15 minutes.
+
+```ts
+const pool = new cognito.UserPool(this, 'Pool');
+pool.addClient('app-client', {
+  // ...
+  authSessionValidity: Duration.minutes(15),
+});
+```
+
 In accordance with the OIDC open standard, Cognito user pool clients provide access tokens, ID tokens and refresh tokens.
 More information is available at [Using Tokens with User Pools](https://docs.aws.amazon.com/en_us/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html).
 The expiration time for these tokens can be configured as shown below.

diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-client.ts
@@ -239,6 +239,15 @@ export interface UserPoolClientOptions {
    */
   readonly oAuth?: OAuthSettings;
 
+  /**
+   * Cognito creates a session token for each API request in an authentication flow.
+   * AuthSessionValidity is the duration, in minutes, of that session token.
+   * see defaults in `AuthSessionValidity`. Valid duration is from 3 to 15 minutes.
+   * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-authsessionvalidity
+   * @default - Duration.minutes(3)
+   */
+  readonly authSessionValidity?: Duration;
+
   /**
    * Whether Cognito returns a UserNotFoundException exception when the
    * user does not exist in the user pool (false), or whether it returns
@@ -409,6 +418,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
       writeAttributes: props.writeAttributes?.attributes(),
       enableTokenRevocation: props.enableTokenRevocation,
     });
+    this.configureAuthSessionValidity(resource, props);
     this.configureTokenValidity(resource, props);
 
     this.userPoolClientId = resource.ref;
@@ -522,6 +532,11 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
     return Array.from(providers);
   }
 
+  private configureAuthSessionValidity(resource: CfnUserPoolClient, props: UserPoolClientProps) {
+    this.validateDuration('authSessionValidity', Duration.minutes(3), Duration.minutes(15), props.authSessionValidity);
+    resource.authSessionValidity = props.authSessionValidity ? props.authSessionValidity.toMinutes() : undefined;
+  }
+
   private configureTokenValidity(resource: CfnUserPoolClient, props: UserPoolClientProps) {
     this.validateDuration('idTokenValidity', Duration.minutes(5), Duration.days(1), props.idTokenValidity);
     this.validateDuration('accessTokenValidity', Duration.minutes(5), Duration.days(1), props.accessTokenValidity);

diff --git a/....snapshot/asset.105b4f39ae68785e705640aa91919e412fcba2dd454aca53412747be8d955286/index.js b/....snapshot/asset.105b4f39ae68785e705640aa91919e412fcba2dd454aca53412747be8d955286/index.js
diff --git a/....snapshot/asset.a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476/index.js b/....snapshot/asset.a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476/index.js
diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/cdk.out b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/cdk.out
@@ -1 +1 @@
-{"version":"20.0.0"}
+{"version":"21.0.0"}
diff --git a/...-pool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.assets.json b/...-pool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.assets.json
@@ -1,28 +1,28 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "files": {
-    "105b4f39ae68785e705640aa91919e412fcba2dd454aca53412747be8d955286": {
+    "a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476": {
       "source": {
-        "path": "asset.105b4f39ae68785e705640aa91919e412fcba2dd454aca53412747be8d955286",
+        "path": "asset.a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476",
         "packaging": "zip"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "105b4f39ae68785e705640aa91919e412fcba2dd454aca53412747be8d955286.zip",
+          "objectKey": "a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476.zip",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }
     },
-    "800ae0e8612e8f6d8cb727c55cf20dc51d4cbcc37c1e1701560675517ff5134a": {
+    "c2d925005ce1ea0db47e73cb0e76cc9f0f9347ede3ba8abe8f0768effe102872": {
       "source": {
         "path": "integ-user-pool-client-explicit-props.template.json",
         "packaging": "file"
       },
       "destinations": {
         "current_account-current_region": {
           "bucketName": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}",
-          "objectKey": "800ae0e8612e8f6d8cb727c55cf20dc51d4cbcc37c1e1701560675517ff5134a.json",
+          "objectKey": "c2d925005ce1ea0db47e73cb0e76cc9f0f9347ede3ba8abe8f0768effe102872.json",
           "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-file-publishing-role-${AWS::AccountId}-${AWS::Region}"
         }
       }

diff --git a/...ool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json b/...ool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json
@@ -59,6 +59,7 @@
      "profile",
      "aws.cognito.signin.user.admin"
     ],
+    "AuthSessionValidity": 3,
     "CallbackURLs": [
      "https://redirect-here.myapp.com"
     ],
@@ -203,7 +204,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "105b4f39ae68785e705640aa91919e412fcba2dd454aca53412747be8d955286.zip"
+     "S3Key": "a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476.zip"
     },
     "Role": {
      "Fn::GetAtt": [

diff --git a/...es/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/integ.json b/...es/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/integ.json
@@ -1,5 +1,5 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "testCases": {
     "integ.user-pool-client-explicit-props": {
       "stacks": [

diff --git a/...@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/manifest.json b/...@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/manifest.json
@@ -1,12 +1,6 @@
 {
-  "version": "20.0.0",
+  "version": "21.0.0",
   "artifacts": {
-    "Tree": {
-      "type": "cdk:tree",
-      "properties": {
-        "file": "tree.json"
-      }
-    },
     "integ-user-pool-client-explicit-props.assets": {
       "type": "cdk:asset-manifest",
       "properties": {
@@ -23,7 +17,7 @@
         "validateOnSynth": false,
         "assumeRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-deploy-role-${AWS::AccountId}-${AWS::Region}",
         "cloudFormationExecutionRoleArn": "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/cdk-hnb659fds-cfn-exec-role-${AWS::AccountId}-${AWS::Region}",
-        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/800ae0e8612e8f6d8cb727c55cf20dc51d4cbcc37c1e1701560675517ff5134a.json",
+        "stackTemplateAssetObjectUrl": "s3://cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}/c2d925005ce1ea0db47e73cb0e76cc9f0f9347ede3ba8abe8f0768effe102872.json",
         "requiresBootstrapStackVersion": 6,
         "bootstrapStackVersionSsmParameter": "/cdk-bootstrap/hnb659fds/version",
         "additionalDependencies": [
@@ -95,6 +89,12 @@
         ]
       },
       "displayName": "integ-user-pool-client-explicit-props"
+    },
+    "Tree": {
+      "type": "cdk:tree",
+      "properties": {
+        "file": "tree.json"
+      }
     }
   }
 }
diff --git a/...ges/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json b/...ges/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json
@@ -4,14 +4,6 @@
     "id": "App",
     "path": "",
     "children": {
-      "Tree": {
-        "id": "Tree",
-        "path": "Tree",
-        "constructInfo": {
-          "fqn": "constructs.Construct",
-          "version": "10.1.85"
-        }
-      },
       "integ-user-pool-client-explicit-props": {
         "id": "integ-user-pool-client-explicit-props",
         "path": "integ-user-pool-client-explicit-props",
@@ -92,6 +84,7 @@
                           "profile",
                           "aws.cognito.signin.user.admin"
                         ],
+                        "authSessionValidity": 3,
                         "callbackUrLs": [
                           "https://redirect-here.myapp.com"
                         ],
@@ -156,14 +149,14 @@
                             "id": "Default",
                             "path": "integ-user-pool-client-explicit-props/myuserpool/myuserpoolclient/DescribeCognitoUserPoolClient/Resource/Default",
                             "constructInfo": {
-                              "fqn": "constructs.Construct",
-                              "version": "10.1.85"
+                              "fqn": "@aws-cdk/core.CfnResource",
+                              "version": "0.0.0"
                             }
                           }
                         },
                         "constructInfo": {
-                          "fqn": "constructs.Construct",
-                          "version": "10.1.85"
+                          "fqn": "@aws-cdk/core.CustomResource",
+                          "version": "0.0.0"
                         }
                       },
                       "CustomResourcePolicy": {
@@ -236,6 +229,14 @@
                 "id": "ServiceRole",
                 "path": "integ-user-pool-client-explicit-props/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole",
                 "children": {
+                  "ImportServiceRole": {
+                    "id": "ImportServiceRole",
+                    "path": "integ-user-pool-client-explicit-props/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/ImportServiceRole",
+                    "constructInfo": {
+                      "fqn": "@aws-cdk/core.Resource",
+                      "version": "0.0.0"
+                    }
+                  },
                   "Resource": {
                     "id": "Resource",
                     "path": "integ-user-pool-client-explicit-props/AWS679f53fac002430cb0da5b7982bd2287/ServiceRole/Resource",
@@ -289,8 +290,8 @@
                     "id": "Stage",
                     "path": "integ-user-pool-client-explicit-props/AWS679f53fac002430cb0da5b7982bd2287/Code/Stage",
                     "constructInfo": {
-                      "fqn": "constructs.Construct",
-                      "version": "10.1.85"
+                      "fqn": "@aws-cdk/core.AssetStaging",
+                      "version": "0.0.0"
                     }
                   },
                   "AssetBucket": {
@@ -317,7 +318,7 @@
                       "s3Bucket": {
                         "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
                       },
-                      "s3Key": "105b4f39ae68785e705640aa91919e412fcba2dd454aca53412747be8d955286.zip"
+                      "s3Key": "a268caa53756f51bda8ad5f499be4ed8484a81b314811806fbb66f874837c476.zip"
                     },
                     "role": {
                       "Fn::GetAtt": [
@@ -369,17 +370,41 @@
               "fqn": "@aws-cdk/aws-secretsmanager.Secret",
               "version": "0.0.0"
             }
+          },
+          "BootstrapVersion": {
+            "id": "BootstrapVersion",
+            "path": "integ-user-pool-client-explicit-props/BootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnParameter",
+              "version": "0.0.0"
+            }
+          },
+          "CheckBootstrapVersion": {
+            "id": "CheckBootstrapVersion",
+            "path": "integ-user-pool-client-explicit-props/CheckBootstrapVersion",
+            "constructInfo": {
+              "fqn": "@aws-cdk/core.CfnRule",
+              "version": "0.0.0"
+            }
           }
         },
+        "constructInfo": {
+          "fqn": "@aws-cdk/core.Stack",
+          "version": "0.0.0"
+        }
+      },
+      "Tree": {
+        "id": "Tree",
+        "path": "Tree",
         "constructInfo": {
           "fqn": "constructs.Construct",
-          "version": "10.1.85"
+          "version": "10.1.161"
         }
       }
     },
     "constructInfo": {
-      "fqn": "constructs.Construct",
-      "version": "10.1.85"
+      "fqn": "@aws-cdk/core.App",
+      "version": "0.0.0"
     }
   }
 }
diff --git a/packages/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.ts b/packages/@aws-cdk/aws-cognito/test/integ.user-pool-client-explicit-props.ts
@@ -1,5 +1,5 @@
 import { Secret } from '@aws-cdk/aws-secretsmanager';
-import { App, RemovalPolicy, Stack } from '@aws-cdk/core';
+import { App, Duration, RemovalPolicy, Stack } from '@aws-cdk/core';
 import { ClientAttributes, OAuthScope, StringAttribute, UserPool } from '../lib';
 
 const app = new App();
@@ -37,6 +37,7 @@ const client = userpool.addClient('myuserpoolclient', {
     callbackUrls: ['https://redirect-here.myapp.com'],
   },
   preventUserExistenceErrors: true,
+  authSessionValidity: Duration.minutes(3),
   writeAttributes: (new ClientAttributes()).withStandardAttributes(
     {
       address: true,