How do I get IdP-issued OIDC or social identity tokens for Amazon Cognito user pools?

Short description

The OpenID Connect (OIDC) IdP authentication flow doesn't allow the user or application to see the IdP-side tokens. For authorization or troubleshooting purposes, some use cases require the IdP-issued tokens within the application.

Important: The following resolution assumes that you integrated OIDC IdP or social IdP with Amazon Cognito user pools. If you didn't integrate an IdP with your user pool, then add a user pool sign-in through a third party.

Resolution

Create a custom attribute in a user pool

To create a custom attribute in your user pool, complete the following steps:

1. Open the Amazon Cognito console.
2. In the navigation pane, choose User pools, and then choose your user pool.
3. Under the Custom Attributes section, choose Add custom attributes.
4. To create a custom attribute for an access token, enter the following information:
   For Name, enter access_token.
   For Type, enter String.
   For Max, enter 2048.
   Select the Mutable option.
5. Choose Save.
6. To create a custom attribute for an ID token, enter the following information:
   For Name, enter **id_token.
   **For Type, enter String.
   For Max, enter 2048.
   Select the Mutable option.
7. Choose Save.

Configure attribute mapping between Amazon Cognito and your IdP

Complete the following steps:

1. Open the Amazon Cognito console.
2. In the navigation pane, choose User pools, and then choose your user pool.
3. Choose Sign-in Experience.
4. Under Federated Identity Provider sign-in, select your IdP.
5. Under Identity provider information, choose Edit.
6. Under Authorized scopes, enter the following informaiton:
   For Facebook, enter public_profile, email.
   For Google, enter profile email openid.
   For Login with Amazon, enter profile postal_code.
   For Sign in with Apple, enter email name.
   For All other OIDC providers, enter profile email openid.
7. On the Identity provider page, under Attribute mapping, choose Edit.
8. Under User pool attribute, select your custom attribute.
9. Under OpenID Connect attribute, select access_token or id_token.
10. Choose Save.

The following are the results of attribute mapping configuration:

• User pool attribute: custom:id_token
• OpenID Connect attribute: id_token
• User pool attribute: custom:access_token
• OpenID Connect attribute: access_token

Turn on attribute read and write permissions in your Amazon Cognito app client

When a user signs into the application, Amazon Cognito updates the mapped attributes. For Amazon Cognito to update the mapped user pool attributes, the mapped attributes must be writable in your application's app client settings. For Amazon Cognito to update the user's ID token, the attributes must be readable in your application's app client settings.

To turn on read and write permissions, complete the following steps:

1. Open the Amazon Cognito console.
2. In the navigation pane, choose User pools, and then choose your user pool.
3. Choose App integration.
4. Select your app client.
5. Under Attribute read and write permissions, choose Edit.
6. On the Edit attribute read and write permissions page, select the read and write option for your custom attributes.
7. Choose Save.
   Note: Repeat these steps for each app client that uses the custom attribute. For more information, see Attribute permissions and scopes.

Use the third-party OIDC provider or social IdP to sign in

When you authenticate a new IdP through the Amazon Cognito Hosted UI, you can see the IdP tokens in the custom attributes. Choose an end user to see the IdP tokens in the user's attributes. When you decode the ID token, you also see the custom attributes that contain IdP tokens.

Example payload section of the ID token that's issued to the end user:

{ 
   "custom:access_token": "ya29.a0AeTM1ic9iv_FqpDQeIN......w1OPKdFEbR_Tea", 
   "iss": "https://cognito-idp.example_region.amazonaws.com/example_user_pool_id", 
   "custom:id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhjMjdkYjRkMTN............saDMuZ29vZ2xldXNlcmNv" 
}  

Important:

• The maximum length for a custom attribute is 2048 characters. When an IdP token exceeds 2048 characters, you receive the following error: "String attributes cannot have a length of more than 2048".
• You can't remove or modify a custom attribute after you create the attribute.
• If the custom attribute isn't updated in subsequent sign ins, then check the mutability of the custom attribute. This issue is expected after you clear the Mutable check box when you create the attribute.

Note: If you still can't get an IdP token, then contact your IdP. Check whether the IdP supports the passage of tokens that have attributes to Amazon Cognito. Then, contact AWS Support for additional troubleshooting.

Related information

How do I set up Auth0 as an OIDC provider in an Amazon Cognito user pool?

How do I set up LinkedIn as a social identity provider in an Amazon Cognito user pool?

How do I set up Okta as an OpenID Connect identity provider in an Amazon Cognito user pool?

How do I set up Google as a federated identity provider in an Amazon Cognito user pool?

View a SAML response in your browser