Custom attributes in Cognito Access Token

Asked 7/7, 2021 at 9:14 Answered 15/7, 2024 at 21:15

Solved amazon-web-services aws-lambda aws-sdk amazon-cognito

I'm relatively new to AWS, and so my lack of knowledge of this may be the reason why I don't understand why this doesn't work. However, I've looked around the web as well as the docs for solutions (for a couple of days now); and those solutions, for reasons I still don't understand, do not work in my case.

The problem I'm having is that my users have these custom attributes set to them that aren't present in the jwt access_token when authenticating a user:

These are the custom attributes I need in the token.

However, when authenticating the user on my express backend using the @aws-sdk/client-cognito-identity-provider:

const pool = await this._awsCognitoService
    .initiateAuth({
        AuthFlow: "USER_PASSWORD_AUTH",
        ClientId: process.env.CLIENT_ID,
        AuthParameters: {
            USERNAME: data.email,
            PASSWORD: data.password,
        },
    });

after decoding the AccessToken, none of my custom attributes are present.

So I've added a lambda function trigger for pre-token generation (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html)

and the code looks like this:

exports.handler = (event, context, callback) => {
    event.response = {
        "claimsOverrideDetails": {
            "claimsToAddOrOverride": {
                "custom:branch_id": event.request.userAttributes["custom:branch_id"],
                "custom:company_id": event.request.userAttributes["custom:company_id"],
            },
        },
    }
    
   callback(null, event)
};

The Pre-Token Generation Lambda Function does get triggered when user authenticates (via express app).

However, the access token retrieved from initiateAuth(...) has none of those attributes that I've set to override.

I've already set the attributes for the custom attributes on the read and write, so that wasn't the problem. (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html)

I know this had nothing to do with the problem but I was left with no option but to just try. I've enabled all the attributes on App Client Settings just so I can see those sweet sweet custom attributes, but still the same. No custom attribute present on token.

Initially, all those checkboxes were unchecked. I reverted it to it's initial state because this did nothing to help the situation.

Any help would be appreciated

Micelle answered 7/7, 2021 at 9:14 Comment(0)

As far as I understand, the custom attributes are only available as extra metadata on the client for id tokens, it doesn't relate at all to the authentication process, or present in the JWT token for access tokens. The access token payload contains claims about the authenticated user and not custom-added attributes. You can refer to this to learn more about them.

here is a sample ID token payload as in AWS docs:

  {
      "sub": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "aud": "xxxxxxxxxxxxexample",
      "email_verified": true,
      "token_use": "id",
      "auth_time": 1500009400,
      "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example",
      "cognito:username": "janedoe",
      "exp": 1500013000,
      "given_name": "Jane",
      "iat": 1500009400,
      "email": "[email protected]".
      "jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "origin_jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
  }

Mckeever answered 7/7, 2021 at 12:14 Comment(6)

Thank you for the answer, I figured out the reason why behind it! I was setting the token as AccessToken and not the IdToken. The AccessToken doesn't allow custom attributes in the jwt. After changing it, I can now see the custom attributes! I will mark your answer as correct. – Micelle 7/7, 2021 at 13:30

If anyone else wants to find out what the difference between the two are, OKTA has a good paragraph on it: developer.okta.com/docs/guides/validate-id-tokens/overview/… – Micelle 7/7, 2021 at 13:39

@Micelle What settins/configuration you had to do to configure IdToken vs AccessToken? – Mohandas 15/10, 2021 at 18:58

@EmAe I don't think I had to do anything different. I just changed where I grabbed the token from, pool.AuthenticationResult.IdToken when the user gets authenticated. – Micelle 16/10, 2021 at 3:49

@Micelle i am not sure i understand you, but you are just using Id Tokens now and it works fine, correct? Because i have the same use case, i have Okta SAML connected to AWS Cognito, and the attributes that are transferred from Okta to Cognito are in Id Token. I can use the Id Token to do my validations and this is all fine. My only concern is that some people online state that Id Token should not be used for Authorization Logic - but this obviously does not work in every case (as we cannot add those custom attributes in the Access Token). – Bridal 8/10, 2022 at 5:56

@sem10 It's fine to authenticate with but I'd steer clear from adding sensitive data in the attributes. – Micelle 11/10, 2022 at 20:58

This is now possible using version 2 of Pre Token Generation lambda trigger. In order to modify access token, it is necessary to create V2 trigger (enable Advanced security on your pool first).

In a lambda itself it is necessary to modify incoming event by generating response part (it will be empty under response like: "response": {"claimsAndScopeOverrideDetails": null}) according to this documentation: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#user-pool-lambda-pre-token-generation-accesstoken

This won't work for for M2M / (app) client credentials grant as the trigger won't be invoked in that case.

Nard answered 15/7, 2024 at 21:15 Comment(0)

Recommended topics

Hot tags