lambda-pre-token-generation-accesstoken v2.

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.

Apache License 2.0

2.82k stars 819 forks source link

lambda-pre-token-generation-accesstoken v2. #13638

Open biller-aivy opened 8 months ago

biller-aivy commented 8 months ago

Is this related to a new or existing framework?

React

Is this related to a new or existing API?

Authentication

Is this related to another service?

Cognito Trigger

Describe the feature you'd like to request

I want to add a claim to access token instead of id token to get this claim on a lambda app sync call. There is an updated API to do that: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html#user-pool-lambda-pre-token-generation-accesstoken

Describe the solution you'd like

add the v2 API to get access to access token.

Describe alternatives you've considered

Additional context

No response

Is this something that you'd be interested in working on?

[X] 👋 I may be able to implement this feature request
[X] ⚠️ This feature might incur a breaking change

nadetastic commented 8 months ago

HI @biller-aivy thank you for opening this issue. If you would like to be able to add a claim to you access token through the PreToken Generation lambda, this is something you are able to do yourself. Here are the steps:

Enable Advanced Security Features on your user pool
Update the Cognito trigger to use the V2 event by selecting Trigger event version of Basic features + access token customization.

With this configured you will be able to get the V2 event in your PreToken Generation lambda.

biller-aivy commented 8 months ago

So, when I do it in this way, I have to do it for all env by myself. Any plans for the cli?

I want a custom claim for my lambda code. But the lambda receives only the access token instead of id token. So the custom claim is not included at the moment. I saw that I can use also the id token for lambda calls. Any security issues than?

nadetastic commented 8 months ago

@biller-aivy IM going to transfer this over to the CLI repo to better address the question of introducing this natively into CLI.

matt-at-allera commented 3 months ago

@josefaidt could we get a status update on this ticket?

We're hoping to be able to programmatically specify V2_0 in the CDK for the PreTokenGeneration lambda as well. Normally, I am unopposed to using the UI to make one-time changes per @nadetastic 's comment. However, it seems that each time an update is deployed to the PreTokenGeneration lambda, that it reverts back to V1_0.

I found this other issue that described breaking apart the Auth stack and manually working through resolving circular dependencies: https://github.com/aws-amplify/amplify-cli/issues/12833#issuecomment-2152983374

The way I see reach resolution:

Functionality is added so that Amplify users are able can specify overrides for the AuthTriggerCustomLambdaStack.
The CLI is enhanced to ask which version to deploy (this may be tricky since the Advanced Security setting of the UserPool must be enabled first).
The generated CloudFormation does not revert the version back to V1_0 with each update.