padajo/cognito-oidc-starter-template.yaml

## cognito-oidc-starter-template.yaml
AWSTemplateFormatVersion: "2010-09-09"
Description: >-
  openid-connect-app

  Testing creating an OpenID Identity Provider with Cognito

Transform:
- AWS::Serverless-2016-10-31

Resources:

  IdentityUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: TestUserPool
      UsernameConfiguration:
        CaseSensitive: True
      UsernameAttributes:
        - email

  ####### Change the Domain name here or this is likely to fail #######

  IdentityUserPoolDomain:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: MAKE-THIS-UNIQUE-BECAUSE-IT-IS-GLOBAL # this is global so make sure it is unique even if only testing (e.g. use https://randomwordgenerator.com/)
      UserPoolId: !Ref IdentityUserPool

  # creating a user pool client - not OIDC but just a client
  IdentityUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      UserPoolId: !Ref IdentityUserPool
      ClientName: TestUserPoolClient
      GenerateSecret: False
      ReadAttributes:
        - email
      WriteAttributes:
        - email
      # these four next attributes go together.
      # The default redirect URI is required before the URI of the app will be live
      AllowedOAuthFlowsUserPoolClient: True
      AllowedOAuthFlows:
        - code
      AllowedOAuthScopes:
        - email
        - aws.cognito.signin.user.admin
        - openid
        - profile
        # - custom/read
        # - custom/write
      CallbackURLs:
        - http://localhost:8000/callback # purely a testing callback
      DefaultRedirectURI: http://localhost:8000/callback # purely a testing callback

  IdentityUserPoolClientCustomScopeResource:
    Type: AWS::Cognito::UserPoolResourceServer
    Properties:
      Identifier: custom
      Name: custom
      Scopes:
        - ScopeDescription: Read
          ScopeName: read
        - ScopeDescription: Write
          ScopeName: Write
      UserPoolId: !Ref IdentityUserPool

Outputs:
  IdentityUserPoolId:
    Description: "The Identity User Pool ID"
    Value: !Ref IdentityUserPool
  IdentityUserPoolProviderName:
    Description: "The Identity User Pool Provider Name"
    Value: !GetAtt IdentityUserPool.ProviderName
  IdentityUserPoolProviderUrl:
    Description: "The Identity User Pool Provider Url"
    Value: !GetAtt IdentityUserPool.ProviderURL
  IdentityDomain:
    Description: "The Identity User Pool Domain"
    Value: !Sub "${IdentityUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com"
  OIDCWellKnownCOnfigurationUrl:
    Description: "The OpenID Connect /.well-known/openid-configuration Url"
    Value: !Sub "https://cognito-idp.${AWS::Region}.amazonaws.com/${IdentityUserPool}/.well-known/openid-configuration"
  OIDCJWKSJSONUrl:
    Description: "The OpenID Connect /.well-known/jwks.json Url"
    Value: !Sub "https://cognito-idp.${AWS::Region}.amazonaws.com/${IdentityUserPool}/.well-known/jwks.json"
	AWSTemplateFormatVersion: "2010-09-09"
	Description: >-
	openid-connect-app

	Testing creating an OpenID Identity Provider with Cognito

	Transform:
	- AWS::Serverless-2016-10-31

	Resources:

	IdentityUserPool:
	Type: AWS::Cognito::UserPool
	Properties:
	UserPoolName: TestUserPool
	UsernameConfiguration:
	CaseSensitive: True
	UsernameAttributes:
	- email

	####### Change the Domain name here or this is likely to fail #######

	IdentityUserPoolDomain:
	Type: AWS::Cognito::UserPoolDomain
	Properties:
	Domain: MAKE-THIS-UNIQUE-BECAUSE-IT-IS-GLOBAL # this is global so make sure it is unique even if only testing (e.g. use https://randomwordgenerator.com/)
	UserPoolId: !Ref IdentityUserPool

	# creating a user pool client - not OIDC but just a client
	IdentityUserPoolClient:
	Type: AWS::Cognito::UserPoolClient
	Properties:
	UserPoolId: !Ref IdentityUserPool
	ClientName: TestUserPoolClient
	GenerateSecret: False
	ReadAttributes:
	- email
	WriteAttributes:
	- email
	# these four next attributes go together.
	# The default redirect URI is required before the URI of the app will be live
	AllowedOAuthFlowsUserPoolClient: True
	AllowedOAuthFlows:
	- code
	AllowedOAuthScopes:
	- email
	- aws.cognito.signin.user.admin
	- openid
	- profile
	# - custom/read
	# - custom/write
	CallbackURLs:
	- http://localhost:8000/callback # purely a testing callback
	DefaultRedirectURI: http://localhost:8000/callback # purely a testing callback

	IdentityUserPoolClientCustomScopeResource:
	Type: AWS::Cognito::UserPoolResourceServer
	Properties:
	Identifier: custom
	Name: custom
	Scopes:
	- ScopeDescription: Read
	ScopeName: read
	- ScopeDescription: Write
	ScopeName: Write
	UserPoolId: !Ref IdentityUserPool

	Outputs:
	IdentityUserPoolId:
	Description: "The Identity User Pool ID"
	Value: !Ref IdentityUserPool
	IdentityUserPoolProviderName:
	Description: "The Identity User Pool Provider Name"
	Value: !GetAtt IdentityUserPool.ProviderName
	IdentityUserPoolProviderUrl:
	Description: "The Identity User Pool Provider Url"
	Value: !GetAtt IdentityUserPool.ProviderURL
	IdentityDomain:
	Description: "The Identity User Pool Domain"
	Value: !Sub "${IdentityUserPoolDomain}.auth.${AWS::Region}.amazoncognito.com"
	OIDCWellKnownCOnfigurationUrl:
	Description: "The OpenID Connect /.well-known/openid-configuration Url"
	Value: !Sub "https://cognito-idp.${AWS::Region}.amazonaws.com/${IdentityUserPool}/.well-known/openid-configuration"
	OIDCJWKSJSONUrl:
	Description: "The OpenID Connect /.well-known/jwks.json Url"
	Value: !Sub "https://cognito-idp.${AWS::Region}.amazonaws.com/${IdentityUserPool}/.well-known/jwks.json"