Custom attribute not passed into ID_TOKEN created by AWS Cognito

Asked 5/2, 2019 at 9:0 Answered 6/12, 2022 at 17:28

amazon-web-services aws-sdk amazon-cognito openid-connect aws-userpools

I am not able to get custom attribute in ID_TOKEN returned from AWS Cognito after successful user login.

Steps I tried :

1.Created user pool 2.Created app client and checked the custom attribute(customattrib1,customattrib2)

User Pool screen :

Check custom attribute in app client config

3.Created user using admin-create-user api

Below image shows the value for user attributes:

4.Signed in user using aws-cognito-auth.js in client app.The ID token returned do not contain the custom attribute.

ID_TOKEN

{
  "at_hash": "PKfjYDaiEty5mUOyJZlPQA",
  "sub": "639d5016-2bd3-4c6f-b82d-21ae38071b09",
  "email_verified": true,
  "iss": "https://cognito-idp.ap-south-1.amazonaws.com/ap-south-1_XXXXXXX",
  "phone_number_verified": true,
  "cognito:username": "testuser",
  "aud": "XYXYXYXYX",
  "token_use": "id",
  "auth_time": 1549349674,
  "phone_number": "##########",
  "exp": 1549353274,
  "iat": 1549349674,
  "email": "[email protected]"
}

I have already checked links below, which had some info regarding this issue, but nothing helped so far.

Adding Cognito custom attributes post pool creation?

Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider

https://www.reddit.com/r/aws/comments/a07dwg/cognito_add_custom_attribute_to_jwt_token/

Please help me figure out if I am missing something..

Tasia answered 5/2, 2019 at 9:0 Comment(4)

Custom attributes will only appear if they are assigned a value. Did you add value in the custom attributes you created? – Extinguisher 5/2, 2019 at 9:42

@AtharKhan Yes,the values were provided while creating user, I have updated question description to add the image showing value of user attributes. – Tasia 5/2, 2019 at 10:5

and you are sure that app client id used for token generation is the one where you've assigned the readable/writable permissions? – Extinguisher 5/2, 2019 at 10:17

@AtharKhan Yes, there is only one app client and the same I have marked the attribute and pasted the screen print of the same. – Tasia 5/2, 2019 at 10:22

In your Cognito user pool go to General Settings -> App Clients, then for each app client click on Show Details, then Set attribute read and write permissions. Check the checkbox next to your attribute name under Readable Attributes.
In your Cognito user pool go to App client settings -> Allowed OAuth Scopes and enable profile scope.

Langbehn answered 2/7, 2019 at 9:32 Comment(2)

One additional add on: make sure if you are using the hosted ui url that the url contains profile as part of the scope parameter: IE &scope=email%20openid+profile . Having this in the app client settings isn't sufficient, it must be included in the hosted UI request params as well, or it will not return them as part of the jwt payload. – Chigger 22/1, 2020 at 19:18

If somebody is looking for cdk solution then cognito.UserPoolClient has property readAttributes. Create it like (new cognito.ClientAttributes()).withCustomAttributes("custom:something"), there is a bug that withCustomAttributes creates a new object instead of appending to its own. – Pickerelweed 20/3, 2021 at 16:21

I had the same trouble and your question came up when I was searching for a solution.

My custom attributes started to appear in ID token when I enabled profile scope in 'App client settings'. (available at: AWS console-> 'User pools'-> click your pool -> 'App client settings' -> 'Allowed OAuth Scopes')

(BTW: I was misled by this sentence from the documentation: "The openid scope returns all user attributes in the ID token that are readable by the client". In my case openid scope was not enough.)

Axum answered 14/3, 2019 at 15:30 Comment(1)

The updated the documentation. Now it reads: "The profile scope grants access to all user attributes that are readable by the client. This scope can only be requested with the openid scope." – Curassow 28/2, 2023 at 17:2

For anyone coming here that is using the Amplify SDK like the OP - Copy and Paste calls out an important point that your client ALSO needs to explicitly ask for the scope.

In my case we I am using Angular. After adding "profile" to the User Pool "Allowed OAuth Scopes" - you also need to specify it in your client configuration:

Vain answered 6/12, 2022 at 17:28 Comment(0)

For me the problem was that I was getting my token (after authenticating with the Amplify js library) from:

Auth.currentSession().then(u => u.getAccessToken().getJwtToken())

Instead of:

Auth.currentSession().then(u => u.getIdToken().getJwtToken());

After changing it worked fine! Hope it helps!

Stated answered 11/3, 2022 at 17:54 Comment(0)

Recommended topics

Hot tags