By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito Pre-Token Generation Lambda Cannot Accept List Overrides

4

Looking at the docs for Cognito pre-token generation lambda hooks: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

I see I can change the fields in the ID token. One field I need to update involves setting the value to an array: e.g. "permissions": ["read", "write", "execute"].

This is what my Lambda looks like

exports.handler = (event, context, callback) => {
    event.response = {
        "claimsOverrideDetails": {
            "claimsToAddOrOverride": {
                "role": "user",
                "permissions": ["read", "write", "execute"]
            }
        }
    };

    callback(null, event);
};

However, the hook fails. JWT allows for there to be array (and object) parameters. Any idea when this feature might be enabled?

Thanks!

  • JaccoPK
    2 years ago

    This is a very long standing bug (2018). I would not expect a solution very soon. I saw a workaround that you could work with: Just stringify the array.

Topics
ServerlessComputeFront-End Web & MobileSecurity, Identity, & Compliance
Tags
AWS LambdaAWS AmplifyAmazon Cognito
Language
English
AWS-User-7365078
asked 2 years ago1390 views
3 Answers
3

Is there any update or plan when this feature will be implemented? We really need this feature for an amplify application where we want to make use of the "groupClaim" attribute which we want to generate by ourselves in a pre token lambda function. I cannot really understand why there is this option (groupClaim in graphql auth) when you cannot create another array then cognitogroups with AWS cognito pre token generation lambda.

chanster
answered 2 years ago
1

This bug has been around for almost 5 years now, like JaccoPK said. Is there any update or plan when this feature will be implemented? It's becoming a very big problem with Amplify/Appsync apps and with how their resolvers handle custom claims.

lis10app
answered a year ago
-2

Hi,

Currently only string type is supported for custom claims, you need to represent your list as a string. something like that... "permissions": "[read, write, execute]"

AWS
EXPERT
Mahmoud Matouk
answered 2 years ago
  • AWS-User-7365078
    2 years ago

    Hey Mahmoud,

    Thanks for the quick reply, is there any timeline when this will change? I'm using a service that needs it in this format; I'm unable to set these parameters as a string; it must be a list.

    If Cognito cannot accept list parameters (which is part of the JWT spec) then I cannot use Cognito and will have to use something else such as KeyCloak.

    Thanks

    Thanks!

  • fungus1487
    a month ago

    This is definitely an oversight by the cognito team, we are paying extra for this pre generation token functionality but then are restricted with string types? auth_time generated by cognito for instance is a number so there is definitely the possibility to store correct types instead of inferring that data is encoded as a string.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content