aws-cdk-lib 2.147.3__py3-none-any.whl → 2.148.0__py3-none-any.whl

aws_cdk/aws_verifiedpermissions/__init__.py

@@ -1,4 +1,4 @@
-'''
+r'''
 # AWS::VerifiedPermissions Construct Library
 
 <!--BEGIN STABILITY BANNER-->---
@@ -102,6 +102,26 @@ class CfnIdentitySource(
                     group_configuration=verifiedpermissions.CfnIdentitySource.CognitoGroupConfigurationProperty(
                         group_entity_type="groupEntityType"
                     )
+                ),
+                open_id_connect_configuration=verifiedpermissions.CfnIdentitySource.OpenIdConnectConfigurationProperty(
+                    issuer="issuer",
+                    token_selection=verifiedpermissions.CfnIdentitySource.OpenIdConnectTokenSelectionProperty(
+                        access_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty(
+                            audiences=["audiences"],
+                            principal_id_claim="principalIdClaim"
+                        ),
+                        identity_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty(
+                            client_ids=["clientIds"],
+                            principal_id_claim="principalIdClaim"
+                        )
+                    ),
+        
+                    # the properties below are optional
+                    entity_id_prefix="entityIdPrefix",
+                    group_configuration=verifiedpermissions.CfnIdentitySource.OpenIdConnectGroupConfigurationProperty(
+                        group_claim="groupClaim",
+                        group_entity_type="groupEntityType"
+                    )
                 )
             ),
             policy_store_id="policyStoreId",
@@ -426,13 +446,15 @@ class CfnIdentitySource(
         jsii_struct_bases=[],
         name_mapping={
             "cognito_user_pool_configuration": "cognitoUserPoolConfiguration",
+            "open_id_connect_configuration": "openIdConnectConfiguration",
         },
     )
     class IdentitySourceConfigurationProperty:
         def __init__(
             self,
             *,
-            cognito_user_pool_configuration: typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentitySource.CognitoUserPoolConfigurationProperty", typing.Dict[builtins.str, typing.Any]]],
+            cognito_user_pool_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentitySource.CognitoUserPoolConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            open_id_connect_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentitySource.OpenIdConnectConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
             '''A structure that contains configuration information used when creating or updating a new identity source.
 
@@ -443,6 +465,7 @@ class CfnIdentitySource(
                You must specify a ``userPoolArn`` , and optionally, a ``ClientId`` .
 
             :param cognito_user_pool_configuration: A structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions .
+            :param open_id_connect_configuration: 
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-identitysourceconfiguration.html
             :exampleMetadata: fixture=_generated
@@ -462,27 +485,59 @@ class CfnIdentitySource(
                         group_configuration=verifiedpermissions.CfnIdentitySource.CognitoGroupConfigurationProperty(
                             group_entity_type="groupEntityType"
                         )
+                    ),
+                    open_id_connect_configuration=verifiedpermissions.CfnIdentitySource.OpenIdConnectConfigurationProperty(
+                        issuer="issuer",
+                        token_selection=verifiedpermissions.CfnIdentitySource.OpenIdConnectTokenSelectionProperty(
+                            access_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty(
+                                audiences=["audiences"],
+                                principal_id_claim="principalIdClaim"
+                            ),
+                            identity_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty(
+                                client_ids=["clientIds"],
+                                principal_id_claim="principalIdClaim"
+                            )
+                        ),
+                
+                        # the properties below are optional
+                        entity_id_prefix="entityIdPrefix",
+                        group_configuration=verifiedpermissions.CfnIdentitySource.OpenIdConnectGroupConfigurationProperty(
+                            group_claim="groupClaim",
+                            group_entity_type="groupEntityType"
+                        )
                     )
                 )
             '''
             if __debug__:
                 type_hints = typing.get_type_hints(_typecheckingstub__cb8ac8b859528aa35f38e7ba0f1da77e89bd8aa3f424fb5dcd81661032e5a44e)
                 check_type(argname="argument cognito_user_pool_configuration", value=cognito_user_pool_configuration, expected_type=type_hints["cognito_user_pool_configuration"])
-            self._values: typing.Dict[builtins.str, typing.Any] = {
-                "cognito_user_pool_configuration": cognito_user_pool_configuration,
-            }
+                check_type(argname="argument open_id_connect_configuration", value=open_id_connect_configuration, expected_type=type_hints["open_id_connect_configuration"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if cognito_user_pool_configuration is not None:
+                self._values["cognito_user_pool_configuration"] = cognito_user_pool_configuration
+            if open_id_connect_configuration is not None:
+                self._values["open_id_connect_configuration"] = open_id_connect_configuration
 
         @builtins.property
         def cognito_user_pool_configuration(
             self,
-        ) -> typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.CognitoUserPoolConfigurationProperty"]:
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.CognitoUserPoolConfigurationProperty"]]:
             '''A structure that contains configuration information used when creating or updating an identity source that represents a connection to an Amazon Cognito user pool used as an identity provider for Verified Permissions .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-identitysourceconfiguration.html#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-cognitouserpoolconfiguration
             '''
             result = self._values.get("cognito_user_pool_configuration")
-            assert result is not None, "Required property 'cognito_user_pool_configuration' is missing"
-            return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.CognitoUserPoolConfigurationProperty"], result)
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.CognitoUserPoolConfigurationProperty"]], result)
+
+        @builtins.property
+        def open_id_connect_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectConfigurationProperty"]]:
+            '''
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-identitysourceconfiguration.html#cfn-verifiedpermissions-identitysource-identitysourceconfiguration-openidconnectconfiguration
+            '''
+            result = self._values.get("open_id_connect_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectConfigurationProperty"]], result)
 
         def __eq__(self, rhs: typing.Any) -> builtins.bool:
             return isinstance(rhs, self.__class__) and rhs._values == self._values
@@ -595,6 +650,481 @@ class CfnIdentitySource(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_verifiedpermissions.CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "audiences": "audiences",
+            "principal_id_claim": "principalIdClaim",
+        },
+    )
+    class OpenIdConnectAccessTokenConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            audiences: typing.Optional[typing.Sequence[builtins.str]] = None,
+            principal_id_claim: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''The configuration of an OpenID Connect (OIDC) identity source for handling access token claims.
+
+            Contains the claim that you want to identify as the principal in an authorization request, and the values of the ``aud`` claim, or audiences, that you want to accept.
+
+            This data type is part of a `OpenIdConnectTokenSelection <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html>`_ structure, which is a parameter of `CreateIdentitySource <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html>`_ .
+
+            :param audiences: The access token ``aud`` claim values that you want to accept in your policy store. For example, ``https://myapp.example.com, https://myapp2.example.com`` .
+            :param principal_id_claim: The claim that determines the principal in OIDC access tokens. For example, ``sub`` . Default: - "sub"
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_verifiedpermissions as verifiedpermissions
+                
+                open_id_connect_access_token_configuration_property = verifiedpermissions.CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty(
+                    audiences=["audiences"],
+                    principal_id_claim="principalIdClaim"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__7998706a4a9cc38da1ed0db6b698971ec488a63fd69b5cdbdb293f77c241aa10)
+                check_type(argname="argument audiences", value=audiences, expected_type=type_hints["audiences"])
+                check_type(argname="argument principal_id_claim", value=principal_id_claim, expected_type=type_hints["principal_id_claim"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if audiences is not None:
+                self._values["audiences"] = audiences
+            if principal_id_claim is not None:
+                self._values["principal_id_claim"] = principal_id_claim
+
+        @builtins.property
+        def audiences(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''The access token ``aud`` claim values that you want to accept in your policy store.
+
+            For example, ``https://myapp.example.com, https://myapp2.example.com`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-audiences
+            '''
+            result = self._values.get("audiences")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        @builtins.property
+        def principal_id_claim(self) -> typing.Optional[builtins.str]:
+            '''The claim that determines the principal in OIDC access tokens.
+
+            For example, ``sub`` .
+
+            :default: - "sub"
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectaccesstokenconfiguration-principalidclaim
+            '''
+            result = self._values.get("principal_id_claim")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "OpenIdConnectAccessTokenConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_verifiedpermissions.CfnIdentitySource.OpenIdConnectConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "issuer": "issuer",
+            "token_selection": "tokenSelection",
+            "entity_id_prefix": "entityIdPrefix",
+            "group_configuration": "groupConfiguration",
+        },
+    )
+    class OpenIdConnectConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            issuer: builtins.str,
+            token_selection: typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentitySource.OpenIdConnectTokenSelectionProperty", typing.Dict[builtins.str, typing.Any]]],
+            entity_id_prefix: typing.Optional[builtins.str] = None,
+            group_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentitySource.OpenIdConnectGroupConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''Contains configuration details of an OpenID Connect (OIDC) identity provider, or identity source, that Verified Permissions can use to generate entities from authenticated identities.
+
+            It specifies the issuer URL, token type that you want to use, and policy store entity details.
+
+            This data type is part of a `Configuration <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_Configuration.html>`_ structure, which is a parameter to `CreateIdentitySource <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html>`_ .
+
+            :param issuer: The issuer URL of an OIDC identity provider. This URL must have an OIDC discovery endpoint at the path ``.well-known/openid-configuration`` .
+            :param token_selection: The token type that you want to process from your OIDC identity provider. Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
+            :param entity_id_prefix: A descriptive string that you want to prefix to user entities from your OIDC identity provider. For example, if you set an ``entityIdPrefix`` of ``MyOIDCProvider`` , you can reference principals in your policies in the format ``MyCorp::User::MyOIDCProvider|Carlos`` .
+            :param group_configuration: The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to. For example, this object can map the contents of a ``groups`` claim to ``MyCorp::UserGroup`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_verifiedpermissions as verifiedpermissions
+                
+                open_id_connect_configuration_property = verifiedpermissions.CfnIdentitySource.OpenIdConnectConfigurationProperty(
+                    issuer="issuer",
+                    token_selection=verifiedpermissions.CfnIdentitySource.OpenIdConnectTokenSelectionProperty(
+                        access_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty(
+                            audiences=["audiences"],
+                            principal_id_claim="principalIdClaim"
+                        ),
+                        identity_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty(
+                            client_ids=["clientIds"],
+                            principal_id_claim="principalIdClaim"
+                        )
+                    ),
+                
+                    # the properties below are optional
+                    entity_id_prefix="entityIdPrefix",
+                    group_configuration=verifiedpermissions.CfnIdentitySource.OpenIdConnectGroupConfigurationProperty(
+                        group_claim="groupClaim",
+                        group_entity_type="groupEntityType"
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__f2cbaf9f8e84c4afb5efd9d601c7545c48652b8f118e22b861f76e11a0491e58)
+                check_type(argname="argument issuer", value=issuer, expected_type=type_hints["issuer"])
+                check_type(argname="argument token_selection", value=token_selection, expected_type=type_hints["token_selection"])
+                check_type(argname="argument entity_id_prefix", value=entity_id_prefix, expected_type=type_hints["entity_id_prefix"])
+                check_type(argname="argument group_configuration", value=group_configuration, expected_type=type_hints["group_configuration"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "issuer": issuer,
+                "token_selection": token_selection,
+            }
+            if entity_id_prefix is not None:
+                self._values["entity_id_prefix"] = entity_id_prefix
+            if group_configuration is not None:
+                self._values["group_configuration"] = group_configuration
+
+        @builtins.property
+        def issuer(self) -> builtins.str:
+            '''The issuer URL of an OIDC identity provider.
+
+            This URL must have an OIDC discovery endpoint at the path ``.well-known/openid-configuration`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-issuer
+            '''
+            result = self._values.get("issuer")
+            assert result is not None, "Required property 'issuer' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def token_selection(
+            self,
+        ) -> typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectTokenSelectionProperty"]:
+            '''The token type that you want to process from your OIDC identity provider.
+
+            Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-tokenselection
+            '''
+            result = self._values.get("token_selection")
+            assert result is not None, "Required property 'token_selection' is missing"
+            return typing.cast(typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectTokenSelectionProperty"], result)
+
+        @builtins.property
+        def entity_id_prefix(self) -> typing.Optional[builtins.str]:
+            '''A descriptive string that you want to prefix to user entities from your OIDC identity provider.
+
+            For example, if you set an ``entityIdPrefix`` of ``MyOIDCProvider`` , you can reference principals in your policies in the format ``MyCorp::User::MyOIDCProvider|Carlos`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-entityidprefix
+            '''
+            result = self._values.get("entity_id_prefix")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        @builtins.property
+        def group_configuration(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectGroupConfigurationProperty"]]:
+            '''The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to.
+
+            For example, this object can map the contents of a ``groups`` claim to ``MyCorp::UserGroup`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectconfiguration-groupconfiguration
+            '''
+            result = self._values.get("group_configuration")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectGroupConfigurationProperty"]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "OpenIdConnectConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_verifiedpermissions.CfnIdentitySource.OpenIdConnectGroupConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "group_claim": "groupClaim",
+            "group_entity_type": "groupEntityType",
+        },
+    )
+    class OpenIdConnectGroupConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            group_claim: builtins.str,
+            group_entity_type: builtins.str,
+        ) -> None:
+            '''The claim in OIDC identity provider tokens that indicates a user's group membership, and the entity type that you want to map it to.
+
+            For example, this object can map the contents of a ``groups`` claim to ``MyCorp::UserGroup`` .
+
+            This data type is part of a `OpenIdConnectConfiguration <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html>`_ structure, which is a parameter of `CreateIdentitySource <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html>`_ .
+
+            :param group_claim: The token claim that you want Verified Permissions to interpret as group membership. For example, ``groups`` .
+            :param group_entity_type: The policy store entity type that you want to map your users' group claim to. For example, ``MyCorp::UserGroup`` . A group entity type is an entity that can have a user entity type as a member.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectgroupconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_verifiedpermissions as verifiedpermissions
+                
+                open_id_connect_group_configuration_property = verifiedpermissions.CfnIdentitySource.OpenIdConnectGroupConfigurationProperty(
+                    group_claim="groupClaim",
+                    group_entity_type="groupEntityType"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__ab6d245db8c3db5a35fe4e1c5a4195b5633475440923b68ec4da0c666bb4a554)
+                check_type(argname="argument group_claim", value=group_claim, expected_type=type_hints["group_claim"])
+                check_type(argname="argument group_entity_type", value=group_entity_type, expected_type=type_hints["group_entity_type"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "group_claim": group_claim,
+                "group_entity_type": group_entity_type,
+            }
+
+        @builtins.property
+        def group_claim(self) -> builtins.str:
+            '''The token claim that you want Verified Permissions to interpret as group membership.
+
+            For example, ``groups`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectgroupconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupclaim
+            '''
+            result = self._values.get("group_claim")
+            assert result is not None, "Required property 'group_claim' is missing"
+            return typing.cast(builtins.str, result)
+
+        @builtins.property
+        def group_entity_type(self) -> builtins.str:
+            '''The policy store entity type that you want to map your users' group claim to.
+
+            For example, ``MyCorp::UserGroup`` . A group entity type is an entity that can have a user entity type as a member.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectgroupconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectgroupconfiguration-groupentitytype
+            '''
+            result = self._values.get("group_entity_type")
+            assert result is not None, "Required property 'group_entity_type' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "OpenIdConnectGroupConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_verifiedpermissions.CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "client_ids": "clientIds",
+            "principal_id_claim": "principalIdClaim",
+        },
+    )
+    class OpenIdConnectIdentityTokenConfigurationProperty:
+        def __init__(
+            self,
+            *,
+            client_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+            principal_id_claim: typing.Optional[builtins.str] = None,
+        ) -> None:
+            '''The configuration of an OpenID Connect (OIDC) identity source for handling identity (ID) token claims.
+
+            Contains the claim that you want to identify as the principal in an authorization request, and the values of the ``aud`` claim, or audiences, that you want to accept.
+
+            This data type is part of a `OpenIdConnectTokenSelection <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectTokenSelection.html>`_ structure, which is a parameter of `CreateIdentitySource <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html>`_ .
+
+            :param client_ids: The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC identity provider. For example, ``1example23456789, 2example10111213`` .
+            :param principal_id_claim: The claim that determines the principal in OIDC access tokens. For example, ``sub`` . Default: - "sub"
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_verifiedpermissions as verifiedpermissions
+                
+                open_id_connect_identity_token_configuration_property = verifiedpermissions.CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty(
+                    client_ids=["clientIds"],
+                    principal_id_claim="principalIdClaim"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__99f6b4ca1823509344404edb31bf292b51c5620a674212be5ce0be65dc78575d)
+                check_type(argname="argument client_ids", value=client_ids, expected_type=type_hints["client_ids"])
+                check_type(argname="argument principal_id_claim", value=principal_id_claim, expected_type=type_hints["principal_id_claim"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if client_ids is not None:
+                self._values["client_ids"] = client_ids
+            if principal_id_claim is not None:
+                self._values["principal_id_claim"] = principal_id_claim
+
+        @builtins.property
+        def client_ids(self) -> typing.Optional[typing.List[builtins.str]]:
+            '''The ID token audience, or client ID, claim values that you want to accept in your policy store from an OIDC identity provider.
+
+            For example, ``1example23456789, 2example10111213`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-clientids
+            '''
+            result = self._values.get("client_ids")
+            return typing.cast(typing.Optional[typing.List[builtins.str]], result)
+
+        @builtins.property
+        def principal_id_claim(self) -> typing.Optional[builtins.str]:
+            '''The claim that determines the principal in OIDC access tokens.
+
+            For example, ``sub`` .
+
+            :default: - "sub"
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration.html#cfn-verifiedpermissions-identitysource-openidconnectidentitytokenconfiguration-principalidclaim
+            '''
+            result = self._values.get("principal_id_claim")
+            return typing.cast(typing.Optional[builtins.str], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "OpenIdConnectIdentityTokenConfigurationProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_verifiedpermissions.CfnIdentitySource.OpenIdConnectTokenSelectionProperty",
+        jsii_struct_bases=[],
+        name_mapping={
+            "access_token_only": "accessTokenOnly",
+            "identity_token_only": "identityTokenOnly",
+        },
+    )
+    class OpenIdConnectTokenSelectionProperty:
+        def __init__(
+            self,
+            *,
+            access_token_only: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            identity_token_only: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+        ) -> None:
+            '''The token type that you want to process from your OIDC identity provider.
+
+            Your policy store can process either identity (ID) or access tokens from a given OIDC identity source.
+
+            This data type is part of a `OpenIdConnectConfiguration <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_OpenIdConnectConfiguration.html>`_ structure, which is a parameter of `CreateIdentitySource <https://docs.aws.amazon.com/verifiedpermissions/latest/apireference/API_CreateIdentitySource.html>`_ .
+
+            :param access_token_only: The OIDC configuration for processing access tokens. Contains allowed audience claims, for example ``https://auth.example.com`` , and the claim that you want to map to the principal, for example ``sub`` .
+            :param identity_token_only: The OIDC configuration for processing identity (ID) tokens. Contains allowed client ID claims, for example ``1example23456789`` , and the claim that you want to map to the principal, for example ``sub`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnecttokenselection.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_verifiedpermissions as verifiedpermissions
+                
+                open_id_connect_token_selection_property = verifiedpermissions.CfnIdentitySource.OpenIdConnectTokenSelectionProperty(
+                    access_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty(
+                        audiences=["audiences"],
+                        principal_id_claim="principalIdClaim"
+                    ),
+                    identity_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty(
+                        client_ids=["clientIds"],
+                        principal_id_claim="principalIdClaim"
+                    )
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__70c96a791508272a0d3c3378e83ae61f563c50846f156b3664ab9d4f13f24e41)
+                check_type(argname="argument access_token_only", value=access_token_only, expected_type=type_hints["access_token_only"])
+                check_type(argname="argument identity_token_only", value=identity_token_only, expected_type=type_hints["identity_token_only"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {}
+            if access_token_only is not None:
+                self._values["access_token_only"] = access_token_only
+            if identity_token_only is not None:
+                self._values["identity_token_only"] = identity_token_only
+
+        @builtins.property
+        def access_token_only(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty"]]:
+            '''The OIDC configuration for processing access tokens.
+
+            Contains allowed audience claims, for example ``https://auth.example.com`` , and the claim that you want to map to the principal, for example ``sub`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnecttokenselection.html#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-accesstokenonly
+            '''
+            result = self._values.get("access_token_only")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty"]], result)
+
+        @builtins.property
+        def identity_token_only(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty"]]:
+            '''The OIDC configuration for processing identity (ID) tokens.
+
+            Contains allowed client ID claims, for example ``1example23456789`` , and the claim that you want to map to the principal, for example ``sub`` .
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-verifiedpermissions-identitysource-openidconnecttokenselection.html#cfn-verifiedpermissions-identitysource-openidconnecttokenselection-identitytokenonly
+            '''
+            result = self._values.get("identity_token_only")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty"]], result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "OpenIdConnectTokenSelectionProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
 
 @jsii.data_type(
     jsii_type="aws-cdk-lib.aws_verifiedpermissions.CfnIdentitySourceProps",
@@ -638,6 +1168,26 @@ class CfnIdentitySourceProps:
                         group_configuration=verifiedpermissions.CfnIdentitySource.CognitoGroupConfigurationProperty(
                             group_entity_type="groupEntityType"
                         )
+                    ),
+                    open_id_connect_configuration=verifiedpermissions.CfnIdentitySource.OpenIdConnectConfigurationProperty(
+                        issuer="issuer",
+                        token_selection=verifiedpermissions.CfnIdentitySource.OpenIdConnectTokenSelectionProperty(
+                            access_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty(
+                                audiences=["audiences"],
+                                principal_id_claim="principalIdClaim"
+                            ),
+                            identity_token_only=verifiedpermissions.CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty(
+                                client_ids=["clientIds"],
+                                principal_id_claim="principalIdClaim"
+                            )
+                        ),
+            
+                        # the properties below are optional
+                        entity_id_prefix="entityIdPrefix",
+                        group_configuration=verifiedpermissions.CfnIdentitySource.OpenIdConnectGroupConfigurationProperty(
+                            group_claim="groupClaim",
+                            group_entity_type="groupEntityType"
+                        )
                     )
                 ),
                 policy_store_id="policyStoreId",
@@ -2028,7 +2578,8 @@ def _typecheckingstub__75fd393134ee256da001941239770b4cb04ba63bc1c52b04b0d0a17fc
 
 def _typecheckingstub__cb8ac8b859528aa35f38e7ba0f1da77e89bd8aa3f424fb5dcd81661032e5a44e(
     *,
-    cognito_user_pool_configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnIdentitySource.CognitoUserPoolConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],
+    cognito_user_pool_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnIdentitySource.CognitoUserPoolConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    open_id_connect_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnIdentitySource.OpenIdConnectConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
     """Type checking stubs"""
     pass
@@ -2043,6 +2594,48 @@ def _typecheckingstub__7de43a4292ffc2c919be30326e38112109b1f65de4681523bb84b29e2
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__7998706a4a9cc38da1ed0db6b698971ec488a63fd69b5cdbdb293f77c241aa10(
+    *,
+    audiences: typing.Optional[typing.Sequence[builtins.str]] = None,
+    principal_id_claim: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__f2cbaf9f8e84c4afb5efd9d601c7545c48652b8f118e22b861f76e11a0491e58(
+    *,
+    issuer: builtins.str,
+    token_selection: typing.Union[_IResolvable_da3f097b, typing.Union[CfnIdentitySource.OpenIdConnectTokenSelectionProperty, typing.Dict[builtins.str, typing.Any]]],
+    entity_id_prefix: typing.Optional[builtins.str] = None,
+    group_configuration: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnIdentitySource.OpenIdConnectGroupConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__ab6d245db8c3db5a35fe4e1c5a4195b5633475440923b68ec4da0c666bb4a554(
+    *,
+    group_claim: builtins.str,
+    group_entity_type: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__99f6b4ca1823509344404edb31bf292b51c5620a674212be5ce0be65dc78575d(
+    *,
+    client_ids: typing.Optional[typing.Sequence[builtins.str]] = None,
+    principal_id_claim: typing.Optional[builtins.str] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
+def _typecheckingstub__70c96a791508272a0d3c3378e83ae61f563c50846f156b3664ab9d4f13f24e41(
+    *,
+    access_token_only: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnIdentitySource.OpenIdConnectAccessTokenConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    identity_token_only: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnIdentitySource.OpenIdConnectIdentityTokenConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__2c26583940e2aa6e9d220c2c5b1722091a1344919725a0cfeb5b794a1ef3dc30(
     *,
     configuration: typing.Union[_IResolvable_da3f097b, typing.Union[CfnIdentitySource.IdentitySourceConfigurationProperty, typing.Dict[builtins.str, typing.Any]]],