How can I get custom scopes in the access token when I make an InitiateAuth or AdminInitiateAuth API call?

Short description

An access token returns custom scopes when you use OAuth endpoints for authentication. However, the API calls InitiateAuth or AdminInitiate don't return custom scopes in the access token because the calls don't use OAuth endpoints during authentication.
Note: Amazon Cognito allows you to customize access token. For more information, see Pre token generation Lambda trigger.

Resolution

Prerequisites

Before you begin, make sure you completed the following:

• Configure an Amazon Cognito user pool with a user and an app client.
• Define the resource server and custom scopes.

Create a Lambda function

Complete the following steps to create custom scopes:

1. Create an AWS Lambda function.

2. Modify the code in the Code tab. Copy and paste the following code for the action into the code editor:

   const handler = async (event) => {
    event.response = {
    claimsAndScopeOverrideDetails: {
    accessTokenGeneration: {
    scopesToAdd: ["com.example.photos/read", "com.example.photos/write"]
    }
    },
    };
    return event;
   };
   export { handler }

   Note: You can substitute your own custom scopes for the scopesToAdd parameter.

Add the Lambda trigger to the Cognito user pool

Complete the following steps to add the Lambda trigger:

1. Log in to the Amazon Cognito console.
2. From User pool name, choose the user pool that you created earlier.
3. Choose the User pool properties tab.
4. Under Lambda triggers, select Add Lambda trigger.
5. Choose Authentication, and then choose Pre token generation trigger.
6. Choose Basic features + access token customization.
   Note: Before you select this option, make sure that you activated the advanced security features.
7. Choose the Lambda function that you created earlier and add the trigger.

Use the API calls to authenticate the user

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Sign in using the InitiateAuth call or the AdminInitiateAuth API call. Here are the sample CLI calls for reference:

aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=username,PASSWORD=password --client-id app_client_id --region region_name

-or-

aws cognito-idp admin-initiate-auth --auth-flow ADMIN_USER_PASSWORD_AUTH --auth-parameters USERNAME=username,PASSWORD=password --client-id app_client_id --user-pool-id userpool_id --region region_name

Note: Replace username and password with your username and password. Replace app_client_id with the app client ID, userpool_id with your Cognito user pool ID, and the region_name with the Region name where the user pool is located.

The pre token generation Lambda function adds the custom scopes when the access token is generated. Decode the access token to see the custom scopes.
Note: You can modify other parameters such as user attributes, scopes, group configuration, and client metadata to generate access tokens with custom scopes.