AWSTemplateFormatVersion: '2010-09-09' Description: > Panda example Cognito user pool. The following are required fields for users: - email (used as the "identity" of the user, there are no separate usernames - name - given_name - family_name The following fields are optional: - profile - picture - locale Parameters: Name: Type: String Description: The name of the user pool RefreshTokenValidity: Type: Number Description: The time limit, in days, after which the refresh token is no longer valid. CookieName: Type: String Description: The name of the cookie that will be shared across all Panda-enabled applications DomainName: Type: String Description: The name of the domain on which the cookie will be placed CognitoDomainPrefix: Type: String Description: The domain prefix used for hosting the Cognito login UI (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-assign-domain.html) OAuthCallbacks: Type: String Description: Comma-separated list of OAuth callback URLS - one for each application issuing logins Resources: UserPool: Type: AWS::Cognito::UserPool Properties: AdminCreateUserConfig: AllowAdminCreateUserOnly: true AutoVerifiedAttributes: - email UsernameAttributes: - email UserPoolName: !Ref Name # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims Schema: - Name: name AttributeDataType: String Mutable: true Required: true - Name: given_name AttributeDataType: String Mutable: true Required: true - Name: family_name AttributeDataType: String Mutable: true Required: true # optional - Name: profile AttributeDataType: String Mutable: true Required: false - Name: picture AttributeDataType: String Mutable: true Required: false - Name: locale AttributeDataType: String Mutable: true Required: false UserPoolDomain: Type: AWS::Cognito::UserPoolDomain Properties: UserPoolId: !Ref UserPool Domain: !Ref CognitoDomainPrefix UserPoolClient: Type: AWS::Cognito::UserPoolClient Properties: AllowedOAuthFlows: - code AllowedOAuthFlowsUserPoolClient: true AllowedOAuthScopes: - email - openid - profile CallbackURLs: !Split [',', !Ref OAuthCallbacks] ExplicitAuthFlows: - USER_PASSWORD_AUTH GenerateSecret: true RefreshTokenValidity: !Ref RefreshTokenValidity UserPoolId: !Ref UserPool SupportedIdentityProviders: - COGNITO SettingsBucket: Type: AWS::S3::Bucket Properties: BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms Outputs: UserPoolId: Value: !Ref UserPool UserPoolClientId: Value: !Ref UserPoolClient SettingsBucket: Value: !Ref SettingsBucket CookieName: Value: !Ref CookieName PublicSettingsFile: Value: !Sub ${DomainName}.settings.public PrivateSettingsFile: Value: !Sub ${DomainName}.settings