GraphQL API should send idToken to AppSync instead of accessToken

[ffxsam]

Before opening, please confirm:

• [X] I have searched for duplicate or closed issues and discussions.
• [X] I have read the guide for submitting bug reports.
• [X] I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

Vue

Amplify APIs

GraphQL API

Amplify Categories

auth, api

Environment information

``` # Put output below this line System: OS: macOS 12.6.2 CPU: (8) arm64 Apple M1 Memory: 116.53 MB / 16.00 GB Shell: 5.8.1 - /bin/zsh Binaries: Node: 18.12.1 - ~/Library/Caches/fnm_multishells/29183_1677164461499/bin/node Yarn: 1.22.19 - ~/Library/Caches/fnm_multishells/29183_1677164461499/bin/yarn npm: 8.19.2 - ~/Library/Caches/fnm_multishells/29183_1677164461499/bin/npm Browsers: Chrome: 110.0.5481.177 Firefox: 108.0.2 Safari: 16.2 npmPackages: @aws-amplify/api-graphql: ^3.1.3 => 3.1.3 @graphql-codegen/cli: 3.1.0 => 3.1.0 @graphql-codegen/client-preset: 2.1.0 => 2.1.0 @mdi/font: ^7.1.96 => 7.1.96 @pinia/testing: ^0.0.15 => 0.0.15 @playwright/test: ^1.31.0 => 1.31.0 @rushstack/eslint-patch: ^1.2.0 => 1.2.0 @sentry/tracing: ^7.38.0 => 7.38.0 @sentry/vite-plugin: ^0.4.0 => 0.4.0 @sentry/vue: ^7.38.0 => 7.38.0 @storybook/addon-actions: ^6.5.16 => 6.5.16 @storybook/addon-essentials: ^7.0.0-beta.53 => 7.0.0-beta.53 @storybook/addon-interactions: ^7.0.0-beta.53 => 7.0.0-beta.53 @storybook/addon-links: ^7.0.0-beta.53 => 7.0.0-beta.53 @storybook/blocks: ^7.0.0-alpha.8 => 7.0.0-alpha.8 @storybook/testing-library: ^0.0.14-next.1 => 0.0.14-next.1 @storybook/vue3: ^7.0.0-beta.53 => 7.0.0-beta.53 @storybook/vue3-vite: ^7.0.0-beta.53 => 7.0.0-beta.53 @tanstack/vue-query: ^4.24.10 => 4.24.10 @types/jsdom: ^21.1.0 => 21.1.0 @types/lodash.merge: ^4.6.7 => 4.6.7 @types/node: ^18.14.0 => 18.14.0 @types/uuid: ^9.0.1 => 9.0.1 @types/validator: ^13.7.12 => 13.7.12 @vitejs/plugin-vue: ^4.0.0 => 4.0.0 @vitest/ui: ^0.28.5 => 0.28.5 @vue/eslint-config-prettier: ^7.1.0 => 7.1.0 @vue/eslint-config-typescript: ^11.0.2 => 11.0.2 @vue/test-utils: ^2.3.0 => 2.3.0 @vue/tsconfig: ^0.1.3 => 0.1.3 aws-amplify: ^5.0.15 => 5.0.15 axios: ^1.3.3 => 1.3.3 axios-retry: ^3.4.0 => 3.4.0 camelcase-keys: ^8.0.2 => 8.0.2 change-case: ^4.1.2 => 4.1.2 dotenv: ^16.0.3 => 16.0.3 eslint: ^8.34.0 => 8.34.0 eslint-plugin-storybook: ^0.6.11 => 0.6.11 eslint-plugin-vue: ^9.9.0 => 9.9.0 graphql: ^16.6.0 => 16.6.0 husky: ^8.0.3 => 8.0.3 immutable: ^4.2.4 => 4.2.4 jsdom: ^21.1.0 => 21.1.0 keycode: ^2.2.1 => 2.2.1 lint-staged: ^13.1.2 => 13.1.2 lodash.merge: ^4.6.2 => 4.6.2 node-ray: ^1.19.4 => 1.19.4 npm-run-all: ^4.1.5 => 4.1.5 pinia: ^2.0.32 => 2.0.32 prettier: ^2.8.4 => 2.8.4 react: ^18.2.0 => 18.2.0 react-dom: ^18.2.0 => 18.2.0 sass: ^1.58.3 => 1.58.3 snakecase-keys: ^5.4.5 => 5.4.5 storybook: ^7.0.0-beta.53 => 7.0.0-beta.53 typescript: ~4.9.5 => 4.9.5 uuid: ^9.0.0 => 9.0.0 validator: ^13.9.0 => 13.9.0 vite: ^4.1.4 => 4.1.4 vite-plugin-vuetify: ^1.0.2 => 1.0.2 vitest: 0.28.5 => 0.28.5 vue: ^3.2.47 => 3.2.47 vue-router: ^4.1.6 => 4.1.6 vue-tsc: ^1.1.7 => 1.1.7 vue3-smooth-dnd: ^0.0.2 => 0.0.2 vuetify: ^3.1.6 => 3.1.6 waveform-data: ^4.3.0 => 4.3.0 zen-observable-ts: ^1.1.0 => 1.1.0 npmGlobalPackages: @aws-amplify/cli: 10.6.0 corepack: 0.14.2 diff-so-fancy: 1.4.3 npm: 8.19.2 ts-node: 10.9.1 yarn: 1.22.19 ```

Describe the bug

When a user is logged in and making GraphQL requests, their custom attributes from Cognito don't exist in the identity object on the resolver side.

Expected behavior

I would expect custom attributes to be in the claims.

Reproduction steps

Set up GraphQL API and make a request (authenticated)

Code Snippet

Workaround:

Amplify.configure({
  aws_appsync_graphqlEndpoint: import.meta.env.VITE_GRAPHQL_ENDPOINT,
  aws_appsync_region: 'us-east-1',
  aws_appsync_authenticationType: 'AMAZON_COGNITO_USER_POOLS',
  API: {
    graphql_headers: async () => ({
      Authorization: (await Auth.currentSession()).getIdToken().getJwtToken(),
    }),
  },
});

Log output

``` // Put your logs below this line ```

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[chrisbonifacio]

Hi @ffxsam thank you for raising this issue. I'm going to mark and track this as a feature request because it's a suggestion to change the current behavior.

Linking to related issue regarding SSR: https://github.com/aws-amplify/amplify-js/issues/7824

[ffxsam]

@chrisbonifacio Thank you!

[mattiLeBlanc]

@chrisbonifacio @ffxsam I have requested this a couple of years ago and I received an email last in 2023 ( I believe) that Cognito now supports extra security features which allow you to enhance the accesstokens and add extra data. This was in response to my request. You can read about it here https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html and https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/. I havent had time to implement it my self.

[chrisbonifacio]

@chrisbonifacio @ffxsam I have requested this a couple of years ago and I received an email last in 2023 ( I believe) that Cognito now supports extra security features which allow you to enhance the accesstokens and add extra data. This was in response to my request. You can read about it here https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pool-settings-advanced-security.html and https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/. I havent had time to implement it my self.

That's correct! It is an additional cost but it is now possible to customize the access token to include the same custom attributes, or claims, as the id token.

@ffxsam does this feature fit your use case for having the custom attributes in the resolver's identity when using an access token?

[mattiLeBlanc]

@chrisbonifacio I didn't know it came with an extra cost, I thought expanding the accessTokens was a part of the free package. Are there any plans to make it part of the free setup so that we can pass more data to our backend? I currently have to swap the accessToken for IdToken in my Angular, which works but it is an extra step.