In our current project, we are using serverless architecture leveraging AWS Cognito as IdP, AWS API Gateway and AWS Lambda. For our current application, we have some partners who are registered in the Cognito user pools as App Clients. The users in the Cognito user pool will be only web portal users. The partners will directly interact with our backend APIs. For service to service communication, we are making use of Oauth client credentials grant to generate access token from Cognito at the /oauth2/token endpoint.
The challenge that we perceive here is that the partners will have their own users who would be consuming the APIs exposed from our backend Lambda through API Gateway. The users will not have any existence in our Cognito user pool. But in order for us to respond back to their requests, we would need some user information coming to us (possibly as claims in the access token generated).
We are looking at the option of having a pre-token generation Lambda fetching user info from an API and overriding the claims in the token. But as per understanding claim overriding can only happen in ID token and not access token.
What is the best possible way to enable server-to-server communication with user information available in token claims. Please guide me.