❗ NOTICE (aws-apigateway): Authorization Scopes not rendered with CognitoUserPoolsAuthorizer

[t0bst4r]

Please add your +1 👍 to let us know you have encountered this

Status: IN-PROGRESS

Overview:

Describe the bug

When using the CognitoUserPoolsAuthorizer with authorizationScope, the scopes are not rendered to the CloudFormation template, if authorizationType is not set explicitly. This worked before version 2.142.0.

Expected Behavior

Scopes are rendered to the CloudFormation template when using CognitoUserPoolsAuthorizer without setting authorizationType explicitly. The authorizationType of the authorizer should be used implicitly.

Current Behavior

Scopes are not rendered to the CloudFormation template when using CognitoUserPoolsAuthorizer without setting authorizationType explicitly. They are only rendered, when authorizationType is set explicitly.

A warning is printed during CDK synth:

'AuthorizationScopes' can only be set when 'AuthorizationType' sets 'COGNITO_USER_POOLS'. Default to ignore the values set in 'AuthorizationScopes'.

Reproduction Steps

import { Stack } from "aws-cdk-lib";
import { UserPool } from "aws-cdk-lib/aws-cognito";
import { CognitoUserPoolsAuthorizer, RestApi } from "aws-cdk-lib/aws-apigateway";
import { Template } from "aws-cdk-lib/assertions";

const stack = new Stack(undefined, "Stack");
const userPool = UserPool.fromUserPoolId(stack, "UserPool", "userPoolId");
const authorizer = new CognitoUserPoolsAuthorizer(stack, "Authorizer", {
  cognitoUserPools: [userPool],
});
const restApi = new RestApi(stack, "RestApi", {
  deploy: true,
  defaultMethodOptions: {
    authorizer,
    // here we need to add the authorizationType to make it work
  },
});
restApi.root.resourceForPath("/user/profile").addMethod("GET", undefined, {
  authorizationScopes: [OAuthScope.PROFILE.scopeName], // this scope is missing
});
restApi.root.resourceForPath("/any/other").addMethod("POST");

console.log(Template.fromStack(stack).toJSON());

Workaround:

There are 2 workarounds:

• you can pin the aws-cdk-lib version to 2.141.0.
• You can update the RestApi definition as following

const restApi = new RestApi(stack, "RestApi", {
 deploy: true,
 defaultMethodOptions: {
   authorizer,
   // setting it explicit:
   authorizationType: authorizer.authorizationType, 
 },
});

Solution:

We are reverting this PR that introduces the breaking change.

[steamstreetjon]

Yeah, just upgraded to the latest CDK and all the scopes were blown away. This is pretty bad.

[t0bst4r]

You can do the following workaround until it’s fixed:

const restApi = new RestApi(stack, "RestApi", {
  deploy: true,
  defaultMethodOptions: {
    authorizer,
    // setting it explicit:
    authorizationType: authorizer.authorizationType, 
  },
});

[khushail]

Hey @t0bst4r , thanks for reporting this. could you please share the output of cdk diff when the scopes are not rendered and the CDK version which worked successfully ?