Hey guys, looking at Cognito User Pools for the first time and I’ve clocked that every time we make a change, even though the Auth construct remains (thanks to default RemovalPolicy), the client id and secret get regenerated. Is there any way to keep those static between updates? Had a quick look through the type def. files and through some of the sst docs but couldn’t find anything about it. I’m gonna go and look at the CDK docs next but thought I’d reach out in the meantime.

Can you share the code of how you're creating the client?

Looks like the project is using CDK constructs directly, but its:

userPool.addClient("user-pool-client", {
        oAuth: {
            flows: {
                clientCredentials: true,
            },
            scopes: [OAuthScope.resourceServer(resourceServer, allScope)]
        },
        generateSecret: true,
    });

If

generateSecret

isn’t set then no secret is generated, but I can’t see a way to set it directly. I have no clue about the client id side of things.

What you could maybe try is something like this:

import * as cognito from "@aws-cdk/aws-cognito";

const userPool = new cognito.UserPool(this, "UserPool", {
  userPoolName: "my-user-pool",
  signInAliases: { email: true, phone: true },
});
const userPoolClient = new cognito.UserPoolClient(this, "UserPoolClient", {
  userPool,
oAuth: {
            flows: {
                clientCredentials: true,
            },
            scopes: [OAuthScope.resourceServer(resourceServer, allScope)]
        },
        generateSecret: true,
});

new Auth(this, "Auth", {
  cognito: {
    userPool,
    userPoolClient,
  },
});

Instead of the

addClient

you are using above. Decoupling the two constructs (userPool and userPoolClient) might prevent the userPoolClient from being recreated everytime. Its a long shot because I don't think you can have a userPoolClient without a userPool but worth a try.

Found this, doesn’t look like it can be done.