By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Send Metadata into "Pre token generation" trigger with REFRESH_TOKEN_AUTH

0

Hi everyone!

I use AWS Cognito for my apps, and actually have 3 apps working with the same user's Cognito database. This three apps are connected, so the auth is shared. But based on what app you are logging in from, I customize the AccessToken with different params.

When I login, I send a Client Metadata that looks like this:

{
  platform: 'ANY_OF_THE_3_PLATFORMS'
}

So that when the authentication process gets to the Pre token generation trigger, I check the ClientMetadata and I know where the user is coming from so that I can make changes.

Everything works great until I get to the refresh token process. When the token is refreshed, the ClientMetadata I attach is not received by the Pre token generation trigger, so that I don't know where this refresh token request is coming from and therefore I can't customize the AccessToken.

Any solution or workaround?

I have seen in the official docs that REFRESH_TOKEN_AUTH should trigger the Pre authentication trigger, which includes the Client Metadata, but it actually doesn't. I don't know if this is a AWS error, or I misunderstood something.

Thanks to whoever can save my day!

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaAmazon Cognito
Language
English
oriollpz
asked a month ago375 views
1 Answer
1

The ClientMetadata is available in the Pre token generation trigger during the initial login process but not during the refresh token process. This is why it works for the initial login but not when refreshing the token.

Unfortunately, Cognito does not pass ClientMetadata to the Pre token generation trigger during the refresh token process. This is a known limitation and there's no direct way to work around this within Cognito's current functionality.

profile picture
EXPERT
Osvaldo Marte
answered a month ago
profile picture
EXPERT
Giovanni Lauria
reviewed a month ago
  • oriollpz
    a month ago

    This is a limitation that AWS is aware and they do nothing about it? No workaround at all?

  • Osvaldo Marte EXPERT
    a month ago

    Maybe one workaround you could try is to store the platform information in the user's session or a database during the initial login process. Then, during the refresh token process, retrieve this information from the session or database to customize the AccessToken accordingly.

  • oriollpz
    a month ago

    Docs say that InitiateAuth with REFRESH_TOKEN_AUTH should fire the Pre authentication trigger, which includes the ClientMetadata. If that's the case, this would be a solution for me, but the truth is that REFRESH_TOKEN_AUTH never fires the Pre authentication trigger. Is that a bug or an error?

    PS: The workaround you gave me it has a problem. If I login in two different platforms with the same Cognito instance, during Refresh Session, the database will take the last known platform I logged in, not the actual platform the user is trying to get the new token from.

  • Osvaldo Marte EXPERT
    a month ago

    Hey, oriollpz, I'll investigate further to clarify the behavior of InitiateAuth with REFRESH_TOKEN_AUTH and the Pre authentication trigger.

  • oriollpz
    a month ago

    Thanks Osvaldo

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content