How can I set the allowed custom scopes of a Cognito User Pool App Client via cli or sdk?

Question

TL;DR: Is there a way to set app client custom scopes via cli or sdk?

I'm trying to automate my Cognito deployment with CloudFormation. I've already made some custom resources since not everything is supported. For this I'm using the AWS JS SDK. I want to set 'Allowed Custom Scopes' for the app clients in a specific user pool. However, I am unable to find how to do this in any documentation AWS provides. The CLI docs say only this on there docs here Cognito-user-identity docs:

AllowedOAuthScopes
A list of allowed OAuth scopes. Currently supported values are "phone", "email", "openid", and "Cognito".

The scopes mentioned there are default scopes that are always available in user pool. But I also use custom scopes that are provided by a Custom Resource Server I've defined. Those look like: resourceServer.com/scope. I can't find any docs about setting those scopes.

So, is there a way to set custom scopes via cli or sdk?

Answer 1

Custom Scope is supported on AllowedOAuthScopes field.

Docu: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_CreateUserPoolClient.html#CognitoUserPools-CreateUserPoolClient-request-AllowedOAuthScopes

To update userpool client via CLI: https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/update-user-pool-client.html (check out the --allowed-o-auth-scopes option)

See example cloudformation below

UserPoolResourceServer:
    Type: AWS::Cognito::UserPoolResourceServer
    Properties: 
        Identifier: users
        Name: User API
        UserPoolId: !Ref UserPool
        Scopes: 
            - ScopeName: "write"
              ScopeDescription: "Write access"
            - ScopeName: "read"
              ScopeDescription: "Read access"

UserPoolClientAdmin:
    Type: "AWS::Cognito::UserPoolClient"
    Properties:
        AllowedOAuthFlows: 
            - client_credentials
        AllowedOAuthFlowsUserPoolClient: true
        AllowedOAuthScopes: 
            - users/read
            - users/write

Answer 2

For anyone coming here looking for a solution, please follow @JohnPauloRodriguez's sample template. But you might need to add DependsOn attribute key in the UserPoolClient template for it work.

The reason being, first the Resource Server with these custom scopes should exist, then only we can refer to them in the client. As per the Cloud Formation Docs:

With the DependsOn attribute you can specify that the creation of a specific resource follows another. When you add a DependsOn attribute to a resource, that resource is created only after the creation of the resource specified in the DependsOn attribute.

So the template for UserPoolClient will become:

CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    DependsOn: UserPoolResourceServer
    Properties:
      UserPoolId: !Ref UserPool
      AllowedOAuthFlowsUserPoolClient: true
      AllowedOAuthFlows:
        - code
      AllowedOAuthScopes: 
        - users/read
        - users/write