Borduhh
commented
3 months ago An update. I saw this article that announced support for custom access tokens: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/
Unfortunately, it doesn't support using the client_credentials flow, which is needed in our case. Quoted from this article https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html:
Although you can generate access tokens for machine-to-machine (M2M) authorization with Amazon Cognito with a client credentials grant, M2M requests don’t invoke the pre token generation trigger function and can't issue customized access tokens. For more information about access tokens, see Using the access token.
Describe the feature
I don't know if this is the right place for this. However, we use OAuth2 with our APIs to secure them with the authorization grant and client credentials flows.
One use case for this is allowing users to access our core APIs from their third-party applications directly. Currently, we use Auth0 to do this because they enable us to put the user's ID and organization ID in as custom claims and pass that info along with the access token, which gives us a complete picture of who is using the API (via a combo of user ID, organization ID, and scopes).
We've done a lot of research on this to make it work, to no avail. We would love to use Cognito via CDK, but this limitation is showstopping.
Use Case
We need this to get the complete picture of who is accessing our API with the following attributes:
Proposed Solution
Using the post login hook for Cognito, allow a user to add custom claims to that authorization token before it is created. This is the same way that Auth0 does it.
Other Information
No response
Acknowledgements
CDK version used
^2.97.1
Environment details (OS name and version, etc.)
MacOS Latest Version