amazon-web-services aws-lambda aws-sdk amazon-cognito

Custom attributes in Cognito Access Token

I'm relatively new to AWS, and so my lack of knowledge of this may be the reason why I don't understand why this doesn't work. However, I've looked around the web as well as the docs for solutions (for a couple of days now); and those solutions, for reasons I still don't understand, do not work in my case.

The problem I'm having is that my users have these custom attributes set to them that aren't present in the jwt access_token when authenticating a user:

These are the custom attributes I need in the token.

However, when authenticating the user on my express backend using the @aws-sdk/client-cognito-identity-provider:

const pool = await this._awsCognitoService
    .initiateAuth({
        AuthFlow: "USER_PASSWORD_AUTH",
        ClientId: process.env.CLIENT_ID,
        AuthParameters: {
            USERNAME: data.email,
            PASSWORD: data.password,
        },
    });

after decoding the AccessToken, none of my custom attributes are present.

So I've added a lambda function trigger for pre-token generation (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html)

and the code looks like this:

exports.handler = (event, context, callback) => {
    event.response = {
        "claimsOverrideDetails": {
            "claimsToAddOrOverride": {
                "custom:branch_id": event.request.userAttributes["custom:branch_id"],
                "custom:company_id": event.request.userAttributes["custom:company_id"],
            },
        },
    }
    
   callback(null, event)
};

The Pre-Token Generation Lambda Function does get triggered when user authenticates (via express app).

However, the access token retrieved from initiateAuth(...) has none of those attributes that I've set to override.

I've already set the attributes for the custom attributes on the read and write, so that wasn't the problem. (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html)

I know this had nothing to do with the problem but I was left with no option but to just try. I've enabled all the attributes on App Client Settings just so I can see those sweet sweet custom attributes, but still the same. No custom attribute present on token.

Initially, all those checkboxes were unchecked. I reverted it to it's initial state because this did nothing to help the situation.

Any help would be appreciated

Solution

As far as I understand, the custom attributes are only available as extra metadata on the client for id tokens, it doesn't relate at all to the authentication process, or present in the JWT token for access tokens. The access token payload contains claims about the authenticated user and not custom-added attributes. You can refer to this to learn more about them.

here is a sample ID token payload as in AWS docs:

  {
      "sub": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "aud": "xxxxxxxxxxxxexample",
      "email_verified": true,
      "token_use": "id",
      "auth_time": 1500009400,
      "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example",
      "cognito:username": "janedoe",
      "exp": 1500013000,
      "given_name": "Jane",
      "iat": 1500009400,
      "email": "janedoe@example.com".
      "jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
      "origin_jti": "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
  }