- Newest
- Most votes
- Most comments
When you call getUser and pass in an access token, Cognito returns the attributes defined in the user pool schema. It does not interpret the claims in the access token. Per the OpenID definition, an Access token should be used only for access authorised resources.
This is neatly summed up in the following blog.
On the access token side, it was conceived to demonstrate that you are authorized to access a resource, e.g., to call an API. Your client application should use it only for this reason. In other words, the access token should not be inspected by the client application. It is intended for the resource server, and your client application should treat access tokens as opaque strings, that is, strings with no specific meaning. Even if you know the access token format, you shouldn’t try to interpret its content in your client application.
For managing permissions of users in Cognito, consider adding groups to your user pool. https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-user-groups.html
You can use groups to create a collection of users in a user pool, which is often done to set the permissions for those users. For example, you can create separate groups for users who are readers, contributors, and editors of your website and app.
Let me now how you go or if I have missed the meaning of your question and I'll be happy to help further.
While @simon answer is the real reason, there is an alternative. You can request to refresh the Access Token which will provide you with a new ID token that will be issued after passing through the Pre-Token Generation Lambda:
Sample request
POST https://mydomain.auth.us-east-1.amazoncognito.com/oauth2/token >
Content-Type='application/x-www-form-urlencoded'&
Authorization=Basic ZGpjOTh1M2ppZWRtaTI4M2V1OTI4OmFiY2RlZjAxMjM0NTY3ODkw
grant_type=refresh_token&
client_id=1example23456789&
refresh_token=eyJj3example
Sample response
HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token":"eyJra1example",
"id_token":"eyJra2example",
"token_type":"Bearer",
"expires_in":3600
}
Ahh so in this case I'd have to pass the Refresh token (in addition to the Access token) into my API calls. If I understand you, you're saying that I could just request a refresh, get an ID token back, and then you won't have to validate any tokens yourself because Cognito won't issue a new set of tokens unless Refresh was valid.
That makes sense but I worry that I'll be requesting a refresh for every API call, that won't wig cognito out?
Relevant content
- asked 9 months ago
- asked 10 months ago
- asked 7 months ago
- AWS OFFICIALUpdated 4 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
You did understand my meaning. I would like to use groups but the problem is I think I would need a LOT of them, because my permissions are really more like hierarchical paths in a resource tree. There's a ro tree and a rw tree, if you have the 'permission' that implies you have it from that spot in the tree down to the bottom. So in DynamoDB, it's a Set<string>
Got it. Agree that it would become cumbersome managing using groups. This is one of the main customer requirements we're aiming to solve with Amazon Verified Permissions. https://aws.amazon.com/verified-permissions/
The service is in Preview and you can request access through the product page.
Right. Really, the main thing I want is some way to cache this. An ID token is kind of convenient because the client "caches" it. It's like you tell the client "Hold this for me, but don't change it, then show it to me later." What I'm really trying to do is avoid my clients having to incur a database or cognito lookup per request.