(aws_cognito): Support Custom Attributes in Access Tokens

[Borduhh]

Describe the feature

I don't know if this is the right place for this. However, we use OAuth2 with our APIs to secure them with the authorization grant and client credentials flows.

One use case for this is allowing users to access our core APIs from their third-party applications directly. Currently, we use Auth0 to do this because they enable us to put the user's ID and organization ID in as custom claims and pass that info along with the access token, which gives us a complete picture of who is using the API (via a combo of user ID, organization ID, and scopes).

We've done a lot of research on this to make it work, to no avail. We would love to use Cognito via CDK, but this limitation is showstopping.

Use Case

We need this to get the complete picture of who is accessing our API with the following attributes:

• Custom User ID
• Custom Organization ID
• List of Scopes

Proposed Solution

Using the post login hook for Cognito, allow a user to add custom claims to that authorization token before it is created. This is the same way that Auth0 does it.

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

^2.97.1

Environment details (OS name and version, etc.)

MacOS Latest Version

[Borduhh]

An update. I saw this article that announced support for custom access tokens: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/

Unfortunately, it doesn't support using the client_credentials flow, which is needed in our case. Quoted from this article https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html:

Although you can generate access tokens for machine-to-machine (M2M) authorization with Amazon Cognito with a client credentials grant, M2M requests don’t invoke the pre token generation trigger function and can't issue customized access tokens. For more information about access tokens, see Using the access token.

[Borduhh]

I hope all is well! I was hoping to get an update on this. Like us, I am sure hundreds of others are paying Auth0 solely because of this issue.

[mirkods]

Hi @Borduhh,

this feature has finally been released 6 months ago, here the announcement https://aws.amazon.com/it/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens.

Keep in mind that using this features you will be charged additional costs on cognito (but is obviously still much more cheaper than Auth0).

[Borduhh]

Hi @Borduhh,

this feature has finally been released 6 months ago, here the announcement https://aws.amazon.com/it/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens.

Keep in mind that using this features you will be charged additional costs on cognito (but is obviously still much more cheaper than Auth0).

It appears that we still can't do it with M2M tokens(https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html):

Although you can generate access tokens for machine-to-machine (M2M) authorization with Amazon Cognito with a client credentials grant, M2M requests don’t invoke the pre token generation trigger function and can't issue customized access tokens.

Currently our process is that a third party can generate a new Client ID and Client Secret from our system and then use that to generate an access token for our external APIs. We use the custom attributes to tie the user's company ID to the token to ensure they only get access to their own data and perform actions for their own company.

[Borduhh]

I wanted to comment to bring this top of mind. I know we cannot be the only company using M2M tokens with custom claims, and I can only imagine how many of us are using Auth0 solely for that reason. I would love to know if there was any update on whether this might be supported someday in Cognito.

[mnhock]

Are there any plans to support this for m2m and client credentials flow?