Why are Cognito custom attributes not received in Lambda

Question

I am using a "Cognito User Pool authorizer" (no "AWS_IAM" option, no custom coded authorizer) to call Lambda methods as HTTPS via API Gateway.

On Lambda, I set a custom user attribute custom:partnerId via adminUpdateUserAttributes under some circumstances.

I can verify that it has been set correctly via the Cognito User Pools AWS console.

On the iOS client, I can also successfully get all user attributes (including the custom one) as described in my answer at How to get Cognito user pool "sub" attribute on iOS

The problem is this:

I do not receive this custom attribute in Lambda as event.requestContext.authorizer.claims['custom:partnerId'] with the next API requests

until I force the user to sign in explicitly again (with username/password) on the iOS client.

After this explicit sign in, I then receive the custom attribute included in the authorizer.claims parameters as expected.

I don't know whether this is a API Gateway problem (since I assume it is fetching the Cognito user via the HTTP "Authorization" header), a problem with the iOS Cognito SDK, or a problem with Lambda itself.

Answer 1

Cognito User Pool Authorizer in API gateway uses the Id token issued by Cognito. This Id token is valid for 1 hour and automatically gets refreshed by the iOS SDK by calling Cognito refresh API internally. After refresh, the Id Token will have the latest values. Refresh method is not available in high level SDK since it is implicitly called by SDK. But you can use low level SDK and directly call refresh API, this will give you the latest Id Token. (I am a developer from Cognito team and will take this as a feature request to allow ability to refresh from high level SDK.)