Cognito Pre-Token Generation Lambda Cannot Accept List Overrides

2

Looking at the docs for Cognito pre-token generation lambda hooks: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

I see I can change the fields in the ID token. One field I need to update involves setting the value to an array: e.g. "permissions": ["read", "write", "execute"].

This is what my Lambda looks like

exports.handler = (event, context, callback) => {
    event.response = {
        "claimsOverrideDetails": {
            "claimsToAddOrOverride": {
                "role": "user",
                "permissions": ["read", "write", "execute"]
            }
        }
    };

    callback(null, event);
};

However, the hook fails. JWT allows for there to be array (and object) parameters. Any idea when this feature might be enabled?

Thanks!

  • This is a very long standing bug (2018). I would not expect a solution very soon. I saw a workaround that you could work with: Just stringify the array.

2 Answers
1

Is there any update or plan when this feature will be implemented? We really need this feature for an amplify application where we want to make use of the "groupClaim" attribute which we want to generate by ourselves in a pre token lambda function. I cannot really understand why there is this option (groupClaim in graphql auth) when you cannot create another array then cognitogroups with AWS cognito pre token generation lambda.

answered 10 months ago
0

Hi,

Currently only string type is supported for custom claims, you need to represent your list as a string. something like that... "permissions": "[read, write, execute]"

EXPERT
answered a year ago
  • Hey Mahmoud,

    Thanks for the quick reply, is there any timeline when this will change? I'm using a service that needs it in this format; I'm unable to set these parameters as a string; it must be a list.

    If Cognito cannot accept list parameters (which is part of the JWT spec) then I cannot use Cognito and will have to use something else such as KeyCloak.

    Thanks

    Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions