CODEWITHSUNDEEP
amazon-web-servicesaws-sdkamazon-cognitoopenid-connectaws-userpools
Mahesh_Loya
Mahesh_Loya

Reputation: 2832

Custom attribute not passed into ID_TOKEN created by AWS Cognito

I am not able to get custom attribute in ID_TOKEN returned from AWS Cognito after successful user login.

Steps I tried :

1.Created user pool 2.Created app client and checked the custom attribute(customattrib1,customattrib2)

User Pool screen :

enter image description here

Check custom attribute in app client config

enter image description here

3.Created user using admin-create-user api

Below image shows the value for user attributes:

enter image description here

4.Signed in user using aws-cognito-auth.js in client app.The ID token returned do not contain the custom attribute.

ID_TOKEN

{
  "at_hash": "PKfjYDaiEty5mUOyJZlPQA",
  "sub": "639d5016-2bd3-4c6f-b82d-21ae38071b09",
  "email_verified": true,
  "iss": "https://cognito-idp.ap-south-1.amazonaws.com/ap-south-1_XXXXXXX",
  "phone_number_verified": true,
  "cognito:username": "testuser",
  "aud": "XYXYXYXYX",
  "token_use": "id",
  "auth_time": 1549349674,
  "phone_number": "##########",
  "exp": 1549353274,
  "iat": 1549349674,
  "email": "[email protected]"
}

I have already checked links below, which had some info regarding this issue, but nothing helped so far.

Adding Cognito custom attributes post pool creation?

Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider

Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider

https://www.reddit.com/r/aws/comments/a07dwg/cognito_add_custom_attribute_to_jwt_token/

Please help me figure out if I am missing something..

Upvotes: 41

Views: 23187

Answers (4)

JDBennett
JDBennett

Reputation: 1505

For anyone coming here that is using the Amplify SDK like the OP - Copy and Paste calls out an important point that your client ALSO needs to explicitly ask for the scope.

In my case we I am using Angular. After adding "profile" to the User Pool "Allowed OAuth Scopes" - you also need to specify it in your client configuration:

enter image description here

Upvotes: 2

HobojoeBr
HobojoeBr

Reputation: 619

For me the problem was that I was getting my token (after authenticating with the Amplify js library) from:

Auth.currentSession().then(u => u.getAccessToken().getJwtToken())

Instead of:

Auth.currentSession().then(u => u.getIdToken().getJwtToken());

After changing it worked fine! Hope it helps!

Upvotes: 0

Ojasvi Monga
Ojasvi Monga

Reputation: 5119

  • In your Cognito user pool go to General Settings -> App Clients, then for each app client click on Show Details, then Set attribute read and write permissions. Check the checkbox next to your attribute name under Readable Attributes.
  • In your Cognito user pool go to App client settings -> Allowed OAuth Scopes and enable profile scope.

Upvotes: 68

JacekS
JacekS

Reputation: 161

I had the same trouble and your question came up when I was searching for a solution.

My custom attributes started to appear in ID token when I enabled profile scope in 'App client settings'. (available at: AWS console-> 'User pools'-> click your pool -> 'App client settings' -> 'Allowed OAuth Scopes')

(BTW: I was misled by this sentence from the documentation: "The openid scope returns all user attributes in the ID token that are readable by the client". In my case openid scope was not enough.)

Upvotes: 16

Related Questions