By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Limit of 50 Custom Scopes per App Client in Cognito

0

In my microservices authentication model, I'm viewing each microservice as a Cognito Resource Server. And each microservice has multiple custom scopes associated with it (eg. payment:view, payment:create). When an App Client retrieves an access token for a guest user for example, I want to return all the custom scopes for all the microservices (Resource Servers) the client may interact with.

My first question is, there is a Cognito limit of 50 scopes per App Client. If I have many microservices with multiple scopes in each, how do I get around this limit? It seems I may be approaching this in the wrong way but not sure.

And second question is, as scopes are associated with an App Client, if I want my "guest" users to have one set of scopes and my "registered" users to have another set of scopes, should I create two separate App Clients for the same client entity? For example if the client is an iOS app, I would create App Clients "ios-client-guest-user" and "ios-client-registered-user". Is this the correct approach in having multiple groups of users associated with different sets of scopes using the same client?

Thanks!

Topics
Security, Identity, & Compliance
Tags
Amazon CognitoAmazon Cognito User Pools
Language
English
rePost-User-2336927
asked a year ago1055 views
1 Answer
0

Hi,

Yes, there is a limit of 50 custom attributes per user pool and cannot be increased.

However, you can store this information on a DynamoDB and add to the identity token on the login workflow through the Amazon Cognito’s Pre token generation Lambda trigger, which is specifically designed to add new claims, update claims, or suppress claims.

This also could help you to solve other Cognito limitations, such as not being able to remove or change attributes to the user pool once it has been created, or or not being able to backup this information, although it requires you to add (and mantain) additional infrastructure services to your solution.

I hope this helps you.

profile picture
EXPERT
Mikel Del Tio
answered a year ago
  • rePost-User-2336927
    a year ago

    Thanks for the response! You mentioned the limit of 50 custom attributes per user pool, which I'm not concerned about. My question was more about the 50 custom scope limit per App Client. After reading up on the Pre token generation Lambda trigger, it seems like I can't update the access token (ID token only) and scopes in the access token. I could potentially add a scope claim to the ID token but typically only the access token is used to authorize against resource servers. Also the Pre Token Lambda won't work for the Client Credentials grant as it doesn't send back an ID token.

  • Mikel Del Tio EXPERT
    a year ago

    Hi,

    First of all I want to apologize, since as you say, my answer is incorrect: you asked about scopes limits per app client and I answered you with custom attributes limits per user pool, which is not the same. I'm sorry.

    As you say, the access token cannot be updated using the Amazon Cognito’s Pre token generation Lambda trigger, this is just for the ID token, and although it can also be used to authenticate users to your resource servers or server applications, it is not compatible with Client Credentials grant.

  • rePost-User-2336927
    a year ago

    Not a problem at all. Thanks for taking the time to read and reply to my question.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content