Cognito issued JWT does not contain user roles
According to this SO - User roles in Amazon Cognito the user roles should be available in the JWT returned by Cognito. However when inspecting the JWT I don't see any roles nor the cognito:groups claim that is supposedly there.
From what I understood these scopes were needed for this to work:
Is there a specific option that needs to be enabled as well?
Am I supposed to use a Pre authentication Lambda trigger for this?
Notes:
- We have configured Congito to use IAM Identity Center SAML application as the external identity provider.
- Newest
- Most votes
- Most comments
Hi,
While you configured the Client Application to be able to use the scopes aws.cognito.signin.user.admin, Email, OpenID, Profile, you need to request them so that the token issued includes the necessary scopes.
Please ensure that when your Client is doing an Authorization call to Cognito on the /oauth2/authorize endpoint it includes all the necessary scopes in the request as defined in the query string parameter scope - see documentation https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html
Cognito when it receives an authorization request on /oauth2/authorize first checks that the scopes requested are part of the scopes authorized for this client id. Then it issues an authorization code that can be exchanged for JWTs. Those JWTs will only include the scopes requested during the authorize call. If you miss a scope, Cognito will not fill that out based on the list of scopes authorized. An if you miss the scope that can allow to read the group membership / role memebership, those won't be included in the JWTs.
Jeff
Relevant content
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
Yep... I was missing the
openidscope. Thanks! :)