By using AWS re:Post, you agree to the Terms of Use

Pre token generation lambda trigger is not working properly in .Net core.


Hello Team,

The pre-token generation lambda trigger for Cognito is not working properly for .net core, It is throwing this error: "error_description=Error+in+SAML+response+processing%3A+Invalid+version+in+Lambda+response.+Version+should+be+1+&error=server_error".

Same event is working fine for node js but it is not working in .net core, here is the payload response which I'm returning from Pre-Token generation lambda trigger for .Net core after modifying the claims:

{ "request": { "groupConfiguration": { "groupsToOverride": [ "us-east-1_P139c87yU_Okta" ], "iamRolesToOverride": [], "preferredRole": null }, "clientMetadata": null, "userAttributes": { "sub": "fb010969-9c01-4533-b12b-c09d454ee10f", "identities": "[{\"userId\":\"\",\"providerName\":\"Okta\",\"providerType\":\"SAML\",\"issuer\":\",5C5C22primary5C5C22:true,5C5C22dateCreated5C5C22:1644401968942*7D**A22__;JSUlJSUlJSUlJSUlJSUlJV0l!!NmrTbz2Y!j8OBTzi57qqJa6c8x7egkmYdRuvuglBU0LwQm17-u2m-pf-EOQrrffVrzMnxkxiy0pE$ , "cognito:user_status": "EXTERNAL_PROVIDER", "email_verified": "false", "email": "" } }, "response": { "claimsOverrideDetails": { "claimsToAddOrOverride": null, "claimsToSuppress": null, "groupOverrideDetails": { "groupsToOverride": [ "User", "us-east-1_P139c87yU_Okta" ], "iamRolesToOverride": [], "preferredRole": null } } }, "version": "1", "triggerSource": "TokenGeneration_HostedAuth", "region": "us-east-1", "userPoolId": "us-east-1_P139c87yU", "userName": "", "callerContext": { "awsSdkVersion": "aws-sdk-unknown-unknown", "clientId": "nbkmuarn0v3pph35s4cnsr7li" } } *

1 Answer


May I ask if this event is somehow truncated? It does not seem to be a valid JSON. I've used our internal JSON lint tool and there seems to be an issue with the formatting under "userAttributes"

        "userAttributes": {
            "sub": "fb010969-9c01-4533-b12b-c09d454ee10f",
            "identities": "[{\"userId\":\"\",\"providerName\":\"Okta\",\"providerType\":\"SAML\",\"issuer\":\",5C5C22primary5C5C22:true,5C5C22dateCreated5C5C22:16444019689427D**A22__;JSUlJSUlJSUlJSUlJSUlJV0l!!NmrTbz2Y!j8OBTzi57qqJa6c8x7egkmYdRuvuglBU0LwQm17-u2m-pf-EOQrrffVrzMnxkxiy0pE$ , "
            cognito: user_status ": "

Two things to note is that there is an opening brace in 'identities' but there is no closing. Also, the "issuer" key does not seem to have an escaped \". I just want to clarify this first if perhaps you have truncated this. If so, can you please provide the full event?

If the object is working Node but not in .NET then this seems to imply that there is actually some sort of difference with the way the Node Lambda returns the response as opposed to the .NET Lambda. I would suggest checking how exactly you are returning this response in the .NET Lambda as it may be returning it differently than expected.

I would also suggest doing an additional test by invoking both Lambda's via API Gateway. This is to confirm if the Lambda's are indeed returning the expected format back to the requester.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions