Hi, Currently it is not possible to add custom claims to access-token, if you just want to know which user pool has been used to authenticate the user then you can use the "iss" claim which has the issuer user-pool-id in it, you will need to keep a mapping between user-pool-id and tenant-id in your backend and lookup this mapping in your application when needed.
Having a group that all users belong to is a good idea as well if this allows you to propagate the information you need about tenants without having to keep an external storage, another option is to use usernames that are combination of tenant-id and username, the username gets propagated to access-token as well.
Seems like you should be able to add claims if you use this lambda hook - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
are federated IDPs consulted on token refresh via cognito user pools?Accepted Answerasked 8 months ago
Limit on Listing User Poolsasked 10 months ago
Unable to delete IAM role because of phantom Cognito User Poolsasked 3 years ago
Migrating multi-tenant application to Cognito ... how many user pools is too many?asked a year ago
Cognito/Identity Poolsasked 9 days ago
Custum attribute option to user groups and poolsasked 2 months ago
Cognito Identity Pools Attribute-based access control - dynamic attributesasked 10 months ago
User Pools and Access Tokensasked 8 months ago
ADFS Claims Mapping to Cognito User PoolsAccepted Answerasked 2 years ago
External IDP Tokens in Cognito User Poolsasked 7 months ago