is there a possibility to inject user information in the access token generated from AWS Cognito using oauth client credentials grant


In our current project, we are using serverless architecture leveraging AWS Cognito as IdP, AWS API Gateway and AWS Lambda. For our current application, we have some partners who are registered in the Cognito user pools as App Clients. The users in the Cognito user pool will be only web portal users. The partners will directly interact with our backend APIs. For service to service communication, we are making use of Oauth client credentials grant to generate access token from Cognito at the /oauth2/token endpoint.

The challenge that we perceive here is that the partners will have their own users who would be consuming the APIs exposed from our backend Lambda through API Gateway. The users will not have any existence in our Cognito user pool. But in order for us to respond back to their requests, we would need some user information coming to us (possibly as claims in the access token generated).

We are looking at the option of having a pre-token generation Lambda fetching user info from an API and overriding the claims in the token. But as per understanding claim overriding can only happen in ID token and not access token.

What is the best possible way to enable server-to-server communication with user information available in token claims. Please guide me.

2 Answers

As of Jan-2024, there is now the ability to for access token customization feature for Amazon Cognito users. See AWS Security Blog How to customize access tokens in Amazon Cognito user pools

However, this is not supported for client credentials grant generated access token per Pre token generation Lambda trigger Customizing the access token section.

Although you can generate access tokens for machine-to-machine (M2M) authorization with Amazon Cognito with a client credentials grant, M2M requests don’t invoke the pre token generation trigger function and can't issue customized access tokens.

profile pictureAWS
answered 4 months ago

Hello @hakanson, The impossibility to manage pre token generation with client-credentials is a real problem for us. It breaks our integration

Can we expect a support for client-credentials in the coming months ?

If not, does it exists a workaround ?



answered 18 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions