How to add/suppress custom scope in AWS Pre-Token Generation trigger ?


I have Cognito user pool with one Allowed custom scopes for my app client i.e. admin-only. I have two kinds of users 1. Users in Admin Group 2. Non-Admins users. For my one of the AWS API Gateway Routes, I need to deny the access if user from non admin group is hitting the API Url, basically its allowed only for users which are part of Admin User group.

I can achieve it through adding an Authorization scope on API gateway route with this custom scope and then adding a scope manually when I request an Authorization token in Hosted UI popup. But in my app, I don't want to add this scope manually, rather want to add this scope when the token is generated. I explored Pre-Token Generation Trigger but not able to see the way to override or add scope attribute in it. Also tried below code in Pre-Token Generation Trigger lambda.

exports.handler = async (event, context, callback) => {
event.response = {
        "claimsOverrideDetails": {
            "claimsToSuppress": ["admin-only"]
    callback(null, event);    

Question is, is there a way to add/override custom scope in pre-token generation trigger ? If yes then how ? But if there is no way, then how to solve my use case ?

2 Answers

You're definitely heading in the right direction, you can use the Pre-token generation Lambda trigger to add claims to your ID tokens. You would use the 'claimsToAddOrOverride' property for that. You can find more information here in the documentation here.

I've created a sample application in the past which demonstrates how to add a 'department' claim (and use it for ABAC), it might give you an idea on how to implement it. The repository is here, and in particular, the pre-token-trigger.js shows how to use the 'claimsToAddOrOverride'.

Hope that helps :)

answered 2 years ago
  • can we add custom claims or scopes to access token in cognito


As of 18-Dec-2023 custom claims can also be added to the access token. Here's the announcement:

answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions