Cognito Pre-Token Generation Lambda Cannot Accept List Overrides

4

Looking at the docs for Cognito pre-token generation lambda hooks: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

I see I can change the fields in the ID token. One field I need to update involves setting the value to an array: e.g. "permissions": ["read", "write", "execute"].

This is what my Lambda looks like

exports.handler = (event, context, callback) => {
    event.response = {
        "claimsOverrideDetails": {
            "claimsToAddOrOverride": {
                "role": "user",
                "permissions": ["read", "write", "execute"]
            }
        }
    };

    callback(null, event);
};

However, the hook fails. JWT allows for there to be array (and object) parameters. Any idea when this feature might be enabled?

Thanks!

  • This is a very long standing bug (2018). I would not expect a solution very soon. I saw a workaround that you could work with: Just stringify the array.

3 réponses
3

Is there any update or plan when this feature will be implemented? We really need this feature for an amplify application where we want to make use of the "groupClaim" attribute which we want to generate by ourselves in a pre token lambda function. I cannot really understand why there is this option (groupClaim in graphql auth) when you cannot create another array then cognitogroups with AWS cognito pre token generation lambda.

répondu il y a 2 ans
1

This bug has been around for almost 5 years now, like JaccoPK said. Is there any update or plan when this feature will be implemented? It's becoming a very big problem with Amplify/Appsync apps and with how their resolvers handle custom claims.

répondu il y a un an
-2

Hi,

Currently only string type is supported for custom claims, you need to represent your list as a string. something like that... "permissions": "[read, write, execute]"

AWS
EXPERT
répondu il y a 2 ans
  • Hey Mahmoud,

    Thanks for the quick reply, is there any timeline when this will change? I'm using a service that needs it in this format; I'm unable to set these parameters as a string; it must be a list.

    If Cognito cannot accept list parameters (which is part of the JWT spec) then I cannot use Cognito and will have to use something else such as KeyCloak.

    Thanks

    Thanks!

  • This is definitely an oversight by the cognito team, we are paying extra for this pre generation token functionality but then are restricted with string types? auth_time generated by cognito for instance is a number so there is definitely the possibility to store correct types instead of inferring that data is encoded as a string.

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions