Salta al contenuto
Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post
Informazioni su re:Post

COGNITO: ClientMetadata is not passed to PreTokenGeneration Lambda trigger on REFRESH_TOKEN_AUTH

0

I am facing a limitation in Amazon Cognito where the ClientMetadata parameter is not consistently forwarded to Lambda triggers on refresh token operation.

In my specific use case:

  • I am using the AdminInitiateAuthCommand with AuthFlow: REFRESH_TOKEN_AUTH.
  • I pass custom key-value pairs via the ClientMetadata parameter when initiating the request.
  • However, Cognito does not forward this ClientMetadata to any of the triggers involved in the refresh token flow, such as the PreTokenGeneration.

This creates a gap where contextual client information (which is available at initial authentication flows) becomes unavailable during token refresh operations. In many scenarios, it is important to pass metadata at refresh time (e.g. for multi-tenant with multi session setups, client instance identifiers, A/B testing, audit reasons, or custom claim logic).

This inconsistency forces developers to implement complex workarounds, such as:

  • External session stores.
  • Client-side state persistence.
  • Unnecessary calls to custom APIs to propagate metadata manually.

Feature request: Please consider extending Cognito to allow ClientMetadata to be passed through during refresh token operations, and be made available to Lambda triggers involved in these flows — in the same way as initial authentication flows.

Argomenti
Sicurezza, identità e conformità
Tag
Amazon Cognito
Lingua
English
posta 5 mesi fa91 visualizzazioni
1 Risposta
0

You're absolutely right, we ran into the exact same issue. ClientMetadata not being passed to Lambda triggers like PreTokenGeneration during REFRESH_TOKEN_AUTH is definitely a limitation, especially for multi-tenant or context-aware setups.

Since Cognito doesn’t support this natively (yet), here’s what we’re doing as a workaround:

Try with the below workaround: At initial login (when ClientMetadata is available), we store the key context (like tenant ID, feature flags, etc.) in a DynamoDB table keyed by user sub or a session ID.

Then in the PreTokenGeneration Lambda (during refresh), we look up the relevant context using the user’s sub and apply our custom logic for claims, roles, etc.

It’s not ideal, adds a little complexity, but works reliably until AWS (hopefully) supports this natively for token refresh flows.

Would definitely +1 this as a feature request. Having ClientMetadata consistently available across all auth flows would make things much cleaner.

con risposta 5 mesi fa
  • Leo
    5 mesi fa

    Thanks for the suggestion! Unfortunately, this workaround doesn't fully cover my scenario. In my case, users can have multiple active sessions across multiple tenants and devices, and they can switch tenants within the same session. For example:

    Session 1 (Device 1):

    • User signs in to Tenant A;
    • Gets tokens with tenantId: A;

    Session 2 (Device 2):

    • User signs in to Tenant A;
    • Then switches to Tenant B (e.g., via a "switch tenant" action), new tokens are generated having tenantId: B.

    The problem arises during refresh of Session 2:

    • On refresh, I still know which tenant the client is operating under (because the client holds the current access token with tenantId: B).
    • However, when calling AdminInitiateAuth (REFRESH_TOKEN_AUTH), I can't pass ClientMetadata with the current tenant context.
    • As a result, the PreTokenGeneration trigger has no information about which tenant the refresh belongs to, and can't correctly reissue tokens with the right tenantId claim.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Contenuto pertinente