diff --git a/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts b/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts index b201b31536c72..72a1b5f3f70e2 100644 --- a/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts +++ b/packages/@aws-cdk/aws-cognito/lib/user-pool-domain.ts @@ -152,10 +152,13 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain { /** * The URL to the hosted UI associated with this domain + * + * @param options options to customize baseUrl */ - public baseUrl(): string { + public baseUrl(options?: BaseUrlOptions): string { if (this.isCognitoDomain) { - return `https://${this.domainName}.auth.${Stack.of(this).region}.amazoncognito.com`; + const authDomain = 'auth' + (options?.fips ? '-fips' : ''); + return `https://${this.domainName}.${authDomain}.${Stack.of(this).region}.amazoncognito.com`; } return `https://${this.domainName}`; } @@ -163,7 +166,7 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain { /** * The URL to the sign in page in this domain using a specific UserPoolClient * @param client [disable-awslint:ref-via-interface] the user pool client that the UI will use to interact with the UserPool - * @param options options to customize the behaviour of this method. + * @param options options to customize signInUrl. */ public signInUrl(client: UserPoolClient, options: SignInUrlOptions): string { let responseType: string; @@ -175,14 +178,26 @@ export class UserPoolDomain extends Resource implements IUserPoolDomain { throw new Error('signInUrl is not supported for clients without authorizationCodeGrant or implicitCodeGrant flow enabled'); } const path = options.signInPath ?? '/login'; - return `${this.baseUrl()}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`; + return `${this.baseUrl(options)}${path}?client_id=${client.userPoolClientId}&response_type=${responseType}&redirect_uri=${options.redirectUri}`; } } +/** + * Options to customize the behaviour of `baseUrl()` + */ +export interface BaseUrlOptions { + /** + * Whether to return the FIPS-compliant endpoint + * + * @default return the standard URL + */ + readonly fips?: boolean; +} + /** * Options to customize the behaviour of `signInUrl()` */ -export interface SignInUrlOptions { +export interface SignInUrlOptions extends BaseUrlOptions { /** * Where to redirect to after sign in */ diff --git a/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts b/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts index 7cbc013951271..ea751c58d4380 100644 --- a/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts +++ b/packages/@aws-cdk/aws-cognito/test/user-pool-domain.test.ts @@ -164,6 +164,62 @@ describe('User Pool Client', () => { Template.fromStack(stack).resourceCountIs('AWS::Cognito::UserPoolDomain', 0); }); + describe('baseUrl', () => { + test('returns the expected standard URL', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + const domain = pool.addDomain('Domain', { + cognitoDomain: { + domainPrefix: 'cognito-domain-prefix', + }, + }); + + // WHEN + const baseUrl = domain.baseUrl(); + + // THEN + expect(stack.resolve(baseUrl)).toEqual({ + 'Fn::Join': [ + '', [ + 'https://', + { Ref: 'PoolDomainCFC71F56' }, + '.auth.', + { Ref: 'AWS::Region' }, + '.amazoncognito.com', + ], + ], + }); + }); + + test('returns the expected FIPS-compliant endpoint URL', () => { + // GIVEN + const stack = new Stack(); + const pool = new UserPool(stack, 'Pool'); + const domain = pool.addDomain('Domain', { + cognitoDomain: { + domainPrefix: 'cognito-domain-prefix', + }, + }); + + // WHEN + const baseUrl = domain.baseUrl({ fips: true }); + + // THEN + expect(stack.resolve(baseUrl)).toEqual({ + 'Fn::Join': [ + '', [ + 'https://', + { Ref: 'PoolDomainCFC71F56' }, + '.auth-fips.', + { Ref: 'AWS::Region' }, + '.amazoncognito.com', + ], + ], + }); + }); + }); + describe('signInUrl', () => { test('returns the expected URL', () => { // GIVEN