- Newest
- Most votes
- Most comments
I finally got a message back from AWS Support that made sense, so I hope to spare someone the hours of searching it took me.
The bottom line is that the Pre Token Generation Trigger is called before the token is created and sent back to the redirect_url. It is NOT called before the token request is made to the identity provider. The intent is to allow the lambda function to manipulate what actually goes in to the token being passed back. What I need is the ability to alter the claims made to the identity provider. That is not possible with any of the User Pool triggers available today (2019-04-20).
The only solution is to create a User Pool that does not have any required attributes other than an identifier for each user. You can't require email if an identity provider does does not provide it using the standard OpenID 'email' scope. In my case, since Twitch does not provide it by that name, my User Pool can not require it.
AWS needs to add the ability to add specific claims in the request to identity providers. Until it does, they haven't fully implemented OpenID.
Relevant content
- asked 7 months ago
- asked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago