Lambda Cognito User Pool authorizer - can I automatically get the custom user attributes?

Question

I'm using Lambda functions, executed via API Gateway using a Cognito User Pool Authorizer.

I know I can get the "standard" user attributes (like sub, email, cognito:username, etc.) from event.requestContext.authorizer.claims.

But this does not include custom user attributes (like custom:myAttribute).

I know I can get them via adminGetUser, and this works, but I wonder whether I can save this call and somehow get those custom attributes automatically in the event?

Answer 1

Have you already looked at this doc for custom claims? https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html. You will need to define context in following manner for custom attributes:

{
    "context" : {
        "role" : "$context.authorizer.claims['custom:myAttribute']"
    }
}

Answer 2

After you add a custom attribute to a Cognito user pool and assign a value to it for a user there are a couple of reasons why it won't appear in the requestContext.authorizer.claims collection.

The first and most obvious is that you need to make the custom attribute readable via the app client you use to generate the ID token you are authenticating with. If you are using the AWS console this is done by navigating to App Clients -> Show Details -> Set attribute read and write permissions then tick the attribute(s) you want to make visible to your Lambda.

The second reason for your attribute not appearing, even if you have completed the first step, is that the user's claims are encoded in the ID token you generate. This means that if you're using an ID token created before making the attribute(s) readable you still won't see them. The solution to this is to just generate a new ID token for your user at which point you should see the attributes in your Lambda's request context.