How to add/suppress custom scope in AWS Pre-Token Generation trigger ?
I have Cognito user pool with one Allowed custom scopes for my app client i.e. admin-only. I have two kinds of users 1. Users in Admin Group 2. Non-Admins users. For my one of the AWS API Gateway Routes, I need to deny the access if user from non admin group is hitting the API Url, basically its allowed only for users which are part of Admin User group.
I can achieve it through adding an Authorization scope on API gateway route with this custom scope and then adding a scope manually when I request an Authorization token in Hosted UI popup. But in my app, I don't want to add this scope manually, rather want to add this scope when the token is generated. I explored Pre-Token Generation Trigger but not able to see the way to override or add scope attribute in it. Also tried below code in Pre-Token Generation Trigger lambda.
exports.handler = async (event, context, callback) => {
event.response = {
"claimsOverrideDetails": {
"claimsToSuppress": ["admin-only"]
}
};
callback(null, event);
};
Question is, is there a way to add/override custom scope in pre-token generation trigger ? If yes then how ? But if there is no way, then how to solve my use case ?
You're definitely heading in the right direction, you can use the Pre-token generation Lambda trigger to add claims to your ID tokens. You would use the 'claimsToAddOrOverride' property for that. You can find more information here in the documentation here.
I've created a sample application in the past which demonstrates how to add a 'department' claim (and use it for ABAC), it might give you an idea on how to implement it. The repository is here, and in particular, the pre-token-trigger.js shows how to use the 'claimsToAddOrOverride'.
Hope that helps :)
Relevant questions
How to add/suppress custom scope in AWS Pre-Token Generation trigger ?
asked 3 months agoRestrict access to the users in groups via scope in cognito user pool
Accepted Answerasked 6 months agoALB Authenticate Rule with Cognito error: OAuth flows must be enabled in the user pool client
Accepted Answerasked 5 months agoFederated Identity authenticated role - custom claims?
asked 2 years agoMove Cognito user pool to another account?
asked 2 months agoHow best to build custom Cognito login pages for use with a server-side app?
Accepted Answerasked 3 years agoGetting an error logging in with IdP in authorization code grant flow
asked 3 years agoCan I create relationship from User pool to table in DynamoDB?
asked 3 years ago'Access Denied' when access s3 from angular app with cognito user pool
asked 3 years agoRemove all unconfirmed users in a cognito user pool from the console?
Accepted Answerasked 5 months ago