Pre Token Generation Trigger Not Invoked

0

I've created a new User Pool and am confident other triggers are working, because the Post Authentication trigger is working perfectly. The integration with Facebook as an identity provider is working flawlessly. I am trying to get an OpenID integration working with Twitch and have everything working except for retrieving the user's email during authentication. I have added the appropriate claims in my lambda function, but I see no log of it ever being called by the User Pool authentication flow. Has anyone else seen this failure to invoke?

The lambda function is very simple. It simply changes the response to include:

event.response = {
"claimsOverrideDetails": {
"claimsToAddOrOverride": {
"email": "null",
"email_verified": "null"
}
}
};

When I manually add this parameter to the OpenID call to twitch, I can get the user to successfully be added to my pool:

https://id.twitch.tv/oauth2/authorize?claims={"id_token":{"email":null,"email_verified":null}}&client_id=...

I am not seeing any errors. I am just not seeing any invocation at all.

asked 5 years ago838 views
1 Answer
0

I finally got a message back from AWS Support that made sense, so I hope to spare someone the hours of searching it took me.

The bottom line is that the Pre Token Generation Trigger is called before the token is created and sent back to the redirect_url. It is NOT called before the token request is made to the identity provider. The intent is to allow the lambda function to manipulate what actually goes in to the token being passed back. What I need is the ability to alter the claims made to the identity provider. That is not possible with any of the User Pool triggers available today (2019-04-20).

The only solution is to create a User Pool that does not have any required attributes other than an identifier for each user. You can't require email if an identity provider does does not provide it using the standard OpenID 'email' scope. In my case, since Twitch does not provide it by that name, my User Pool can not require it.

AWS needs to add the ability to add specific claims in the request to identity providers. Until it does, they haven't fully implemented OpenID.

answered 5 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions