- Newest
- Most votes
- Most comments
Hi,
While you configured the Client Application to be able to use the scopes aws.cognito.signin.user.admin
, Email
, OpenID
, Profile
, you need to request them so that the token issued includes the necessary scopes.
Please ensure that when your Client is doing an Authorization call to Cognito on the /oauth2/authorize endpoint it includes all the necessary scopes in the request as defined in the query string parameter scope - see documentation https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
Cognito when it receives an authorization request on /oauth2/authorize first checks that the scopes requested are part of the scopes authorized for this client id. Then it issues an authorization code that can be exchanged for JWTs. Those JWTs will only include the scopes requested during the authorize call. If you miss a scope, Cognito will not fill that out based on the list of scopes authorized. An if you miss the scope that can allow to read the group membership / role memebership, those won't be included in the JWTs.
Jeff
Relevant content
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Yep... I was missing the
openid
scope. Thanks! :)