Pre Token Generation Trigger Not Invoked

Question

I've created a new User Pool and am confident other triggers are working, because the Post Authentication trigger is working perfectly. The integration with Facebook as an identity provider is working flawlessly. I am trying to get an OpenID integration working with Twitch and have everything working except for retrieving the user's email during authentication. I have added the appropriate claims in my lambda function, but I see no log of it ever being called by the User Pool authentication flow. Has anyone else seen this failure to invoke?  
  
The lambda function is very simple. It simply changes the response to include:  
  
event.response = {  
            "claimsOverrideDetails": {  
                "claimsToAddOrOverride": {  
                    "email": "null",  
                    "email_verified": "null"  
                }  
            }  
        };  
  
When I manually add this parameter to the OpenID call to twitch, I can get the user to successfully be added to my pool:  
  
https://id.twitch.tv/oauth2/authorize?claims={"id_token":{"email":null,"email_verified":null}}&client_id=...  
  
I am not seeing any errors. I am just not seeing any invocation at all.

Answer

I finally got a message back from AWS Support that made sense, so I hope to spare someone the hours of searching it took me.  
  
The bottom line is that the Pre Token Generation Trigger is called before the token is created and sent back to the redirect_url. It is NOT called before the token request is made to the identity provider. The intent is to allow the lambda function to manipulate what actually goes in to the token being passed back. What I need is the ability to alter the claims made to the identity provider. That is not possible with any of the User Pool triggers available today (2019-04-20).  
  
The only solution is to create a User Pool that does not have any required attributes other than an identifier for each user. You can't require email if an identity provider does does not provide it using the standard OpenID 'email' scope. In my case, since Twitch does not provide it by that name, my User Pool can not require it.  
  
AWS needs to add the ability to add specific claims in the request to identity providers. Until it does, they haven't fully implemented OpenID.

Pre Token Generation Trigger Not Invoked

관련 콘텐츠