AWS Cognito pre token generation lambda trigger

About

Asked 30/4, 2020 at 16:46 Answered 3/5, 2020 at 3:1

Solved amazon-cognito amazon-cognito-triggers

Can we trigger pre token generation lambda in AWS Cognito for app clients (client credentials)?

Allargando answered 30/4, 2020 at 16:46 Comment(2)

Sorry, but your question is difficult to understand. Please edit your question and add more details. For example, what do you mean by "pre token generation lambda"? What are you wanting to accomplish? What have you tried so far? – Selfexamination 1/5, 2020 at 8:51

Thanks John for your reply. I want to set up a trigger for my AWS Cognito user pool to call "Pre-Token generation" lambda, so that new claims can be added on top of what Cognito pool has. I figured that out myself and found Cognito trigger "Pre-Toekn generation" lambda supports only amendment to ID tokens and not access tokens. So, this will only work if actual user is trying to get token and not for app clients if they want to get access token (because app clients only get access token). – Allargando 3/5, 2020 at 2:53

I figured that out myself and found Cognito trigger "Pre-Token generation" lambda supports the only amendment to ID tokens and not access tokens. So, this will only work if an actual user is trying to get token and not for app clients as app clients only get access token.

Allargando answered 3/5, 2020 at 3:1 Comment(4)

This is a painful limitation of Cognito. Auth0 supports adding metadata to clients, and the hooks support allows injecting that metadata as claims in access tokens. My use case is creating M2M clients that are only used with the Client Credentials flow - it would be useful to store claims such as customer/organization ID so the underlying API can use that for filtering responses. – Dander 1/6, 2020 at 13:22

Yes, Cognito doesn't allow to store user attributes with app clients (i.e. client credentials grant type for M2M communication), but we are using scopes for user attributes (customer id or organisation id) in your usecase. e.g. customer.id.<valueid> as a scope and underlying API will fetch that data from scope. – Allargando 2/6, 2020 at 15:39

Was really hoping this was possible – Papuan 7/6, 2021 at 20:36

@GursharanAulakh scopes for organization id? Wouldn't that require a scope per organization? Also you run the risk of clients getting all organization ids if they don't specify a scope when requesting a token. It would be awesome if AWS had this extensibility without having to hijack scopes. – Papuan 8/6, 2021 at 14:29

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags