search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.72k stars 3.94k forks source link

(aws_cognito): Support Custom Attributes in Access Tokens #27717

Open Borduhh opened 1 year ago

Borduhh commented 1 year ago

Describe the feature

I don't know if this is the right place for this. However, we use OAuth2 with our APIs to secure them with the authorization grant and client credentials flows.

One use case for this is allowing users to access our core APIs from their third-party applications directly. Currently, we use Auth0 to do this because they enable us to put the user's ID and organization ID in as custom claims and pass that info along with the access token, which gives us a complete picture of who is using the API (via a combo of user ID, organization ID, and scopes).

We've done a lot of research on this to make it work, to no avail. We would love to use Cognito via CDK, but this limitation is showstopping.

Use Case

We need this to get the complete picture of who is accessing our API with the following attributes:

Proposed Solution

Using the post login hook for Cognito, allow a user to add custom claims to that authorization token before it is created. This is the same way that Auth0 does it.

Other Information

No response

Acknowledgements

CDK version used

^2.97.1

Environment details (OS name and version, etc.)

MacOS Latest Version

Borduhh commented 7 months ago

An update. I saw this article that announced support for custom access tokens: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/

Unfortunately, it doesn't support using the client_credentials flow, which is needed in our case. Quoted from this article https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html:

Although you can generate access tokens for machine-to-machine (M2M) authorization with Amazon Cognito with a client credentials grant, M2M requests don’t invoke the pre token generation trigger function and can't issue customized access tokens. For more information about access tokens, see Using the access token.

Borduhh commented 4 months ago

I hope all is well! I was hoping to get an update on this. Like us, I am sure hundreds of others are paying Auth0 solely because of this issue.

mirkods commented 4 months ago

Hi @Borduhh,

this feature has finally been released 6 months ago, here the announcement https://aws.amazon.com/it/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens.

Keep in mind that using this features you will be charged additional costs on cognito (but is obviously still much more cheaper than Auth0).

Borduhh commented 4 months ago

Hi @Borduhh,

this feature has finally been released 6 months ago, here the announcement https://aws.amazon.com/it/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens.

Keep in mind that using this features you will be charged additional costs on cognito (but is obviously still much more cheaper than Auth0).

It appears that we still can't do it with M2M tokens(https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html):

Although you can generate access tokens for machine-to-machine (M2M) authorization with Amazon Cognito with a client credentials grant, M2M requests don’t invoke the pre token generation trigger function and can't issue customized access tokens.

Currently our process is that a third party can generate a new Client ID and Client Secret from our system and then use that to generate an access token for our external APIs. We use the custom attributes to tie the user's company ID to the token to ensure they only get access to their own data and perform actions for their own company.