- Newest
- Most votes
- Most comments
Hello,
You can create a custom attribute [1] in your user pool, and then you can map [2] that custom attribute with the attribute name sent from identity provider side token endpoint.
For example, your identity provider sends the access token with a attribute named access_token. Then, you can create a custom attribute external_access_token. And map custom:external_access_token with access_token in attribute mapping section of your user pool [2].
I have tested this solution for Google and it worked. If you want to have other tokens (id token or refresh token) then you can create another custom attribute and map it in similar way.
Note: Please note that there is a size limit on length of a custom attribute. If the token sent from your IdP is longer than 2048 characters then this solution will not work.
I hope this helps. In case you have any further queries/concerns then please let me know.
--References--
[1] https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
Relevant content
- asked 9 months ago
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 7 months ago
Isn't that for Cognito tokens, not external tokens?
Correct. "Amazon Cognito issues your application bearer tokens, which might include identity, access, and refresh tokens.". See the OIDC user pool IdP auth flow: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-oidc-flow.html
Right. So in that example, I am interested in retrieving and exposing the Salesforce tokens to my application. Not the tokens generated by Cognito (RP). Is this possible?