feat(cognito): support for ALLOW_USER_AUTH explicit auth flow (#32273)

### Reason for this change

Cognito [released some new auth flow
features](https://aws.amazon.com/blogs/aws/improve-your-app-authentication-workflow-with-new-amazon-cognito-features/)
which have [made their way into
cloudformation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-cognito-userpoolclient.html#cfn-cognito-userpoolclient-explicitauthflows).
I want to be able to use the new `USER_AUTH` sign in on a
`UserPoolClient`.

### Description of changes

I've added a `user` option to the `AuthFlow` struct for
`UserPoolClient`. This naming matches the naming convention for the
other settings in `AuthFlow` so while `user` is a very generic label, I
think it makes sense in the context of this `AuthFlow` struct. i.e. the
current properties are:

```
adminUserPassword -> ADMIN_USER_PASSWORD_AUTH
custom -> CUSTOM_AUTH
userPassword -> USER_PASSWORD_AUTH
userSrp -> USER_SRP_AUTH
```

This property then sets the `"ALLOW_USER_AUTH"` value in the
`ExplicitAuthFlows` of the `UserPoolClient`.

### Description of how you validated changes

I added the setting to both the unit and integration tests which have
all auth types enabled.

### Checklist
- [x] My code adheres to the [CONTRIBUTING
GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and
[DESIGN
GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache-2.0 license*

Co-authored-by: GZ <[email protected]>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>

Author: 3 people

packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/integ-user-pool-client-explicit-props.template.json

@@ -66,6 +66,7 @@
      "ALLOW_ADMIN_USER_PASSWORD_AUTH",
      "ALLOW_CUSTOM_AUTH",
      "ALLOW_USER_SRP_AUTH",
+     "ALLOW_USER_AUTH",
      "ALLOW_REFRESH_TOKEN_AUTH"
     ],
     "GenerateSecret": true,

packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.js.snapshot/tree.json

@@ -20,6 +20,7 @@ const client = userpool.addClient('myuserpoolclient', {
     custom: true,
     userPassword: true,
     userSrp: true,
+    user: true,
   },
   generateSecret: true,
   oAuth: {

packages/@aws-cdk-testing/framework-integ/test/aws-cognito/test/integ.user-pool-client-explicit-props.ts

@@ -699,6 +699,9 @@ Custom authentication protocols can be configured by setting the `custom` proper
 functions for the corresponding user pool [triggers](#lambda-triggers). Learn more at [Custom Authentication
 Flow](https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-custom-authentication-flow).
 
+Choice-based authentication can be configured by setting the `user` property under `authFlow`. This enables the
+`USER_AUTH` authentication flow. Learn more at [Choice-based authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flows-selection-sdk.html#authentication-flows-selection-choice).
+
 In addition to these authentication mechanisms, Cognito user pools also support using OAuth 2.0 framework for
 authenticating users. User pool clients can be configured with OAuth 2.0 authorization flows and scopes. Learn more
 about the [OAuth 2.0 authorization framework](https://tools.ietf.org/html/rfc6749) and [Cognito user pool's

packages/aws-cdk-lib/aws-cognito/README.md

@@ -34,6 +34,12 @@ export interface AuthFlow {
    * @default false
    */
   readonly userSrp?: boolean;
+
+  /**
+   * Enable Choice-based authentication
+   * @default false
+   */
+  readonly user?: boolean;
 }
 
 /**
@@ -525,6 +531,7 @@ export class UserPoolClient extends Resource implements IUserPoolClient {
     if (props.authFlows.adminUserPassword) { authFlows.push('ALLOW_ADMIN_USER_PASSWORD_AUTH'); }
     if (props.authFlows.custom) { authFlows.push('ALLOW_CUSTOM_AUTH'); }
     if (props.authFlows.userSrp) { authFlows.push('ALLOW_USER_SRP_AUTH'); }
+    if (props.authFlows.user) { authFlows.push('ALLOW_USER_AUTH'); }
 
     // refreshToken should always be allowed if authFlows are present
     authFlows.push('ALLOW_REFRESH_TOKEN_AUTH');

packages/aws-cdk-lib/aws-cognito/lib/user-pool-client.ts

@@ -255,6 +255,7 @@ describe('User Pool Client', () => {
         custom: true,
         userPassword: true,
         userSrp: true,
+        user: true,
       },
     });
 
@@ -264,6 +265,7 @@ describe('User Pool Client', () => {
         'ALLOW_ADMIN_USER_PASSWORD_AUTH',
         'ALLOW_CUSTOM_AUTH',
         'ALLOW_USER_SRP_AUTH',
+        'ALLOW_USER_AUTH',
         'ALLOW_REFRESH_TOKEN_AUTH',
       ],
     });
@@ -281,6 +283,7 @@ describe('User Pool Client', () => {
         custom: false,
         userPassword: false,
         userSrp: false,
+        user: false,
       },
     });