By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why do Cognito access tokens not have an audience claim?

0

I was watching one of AWS' guides on Cognito.

At a point in the video (15:08) - the guy copied his id_token and uses it to authenticate his API call (rather than his access_token as you might expect).

Initially I though this was unintentional and that it was just happy coincidence that it worked. But when I went about this the "right" way, and sent the access_token (or rather, let Postman's OAuth 2.0 authentication pass it for me), I got hit with the following error from the Cognito SDK:

Invalid login token. Missing a required claim: aud

I checked and, sure enough, no aud claim in the access_token, but there was one in the id_token, which was obviously the reason the guide was using the id_token. But why?? Is this intentional misuse?

Even according to AWS' own documentation:

The purpose of the access token is to authorize API operations

Edit: A week or so after posting this, YouTube (being YouTube) decided that I should watch this: ID Tokens vs Access Tokens - Do you know the difference?! (for the TLDR just skip to 6:57).

There's nothing new here for most people familiar with OAuth/OIDC. But directly contradicts Cognito's use. I don't want this edit to repurpose this question as pure criticism - that wasn't the original intent. If anybody has knowledge as to why Cognito devs have (or may have) taken this approach - please post!

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
ANeeson
asked 2 years ago334 views
1 Answer
1

Hello,

The Identity Pool integrates with User Pool where the User Pool serves as the authentication provider. One of the benefits of this integration is that the authenticated user's groups and role association in the User Pool can be used to grant fine-grained access control in the Identity Pool. For example, you can have a rule in your Identity Pool that grants read-only permissions to the user if they belong to a read-only group in the User Pool.

The access token in the OAuth framework was not intended to contain user information like group association and attributes. You typically will use the access token to obtain the Id Token which will contain the user information. Since the fine-grained access control could rely on the user information, you will need to use the Id token to provide the user's information to the Identity Pool which you can then leverage to create rules for your fine-grained access control.

I hope this provides clarity to why Id token is used in this case.

For more information, please refer to the Role-based access control documentation - https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html

AWS
AWS-Wole
answered 2 years ago
  • ANeeson
    2 years ago

    So you're saying that the answer is "yes", this is intentional misuse? I.e. They're they need the claims, but are trying to save a trip to the userinfo endpoint to get them? Some systems use JWT access_tokens to skip this step, but they're still access tokens. I had assumed that this is what Cognito was trying to do as their access_token was a JWT.

    So assuming they are intentionally misusing id_tokens, why is their access_token a JWT? What are you supposed to do with it?

  • Jon
    a month ago

    This appears to break the spec for OAuth 2.0 access tokens: https://www.rfc-editor.org/rfc/rfc9068.html#name-data-structure

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content