Reputation: 419
how to connect tenant_id to client id/secret for Application Client bsed multi-tenancy on AWS Cognito?
I am trying to build a SaaS system for a machine-2-machine authentication scenario, which is exactly the same as described in the document: "You have a B2B multi-tenant application, and tenant backend services use a client-credentials grant to access your services. In this case, you can create an application client for each tenant and share the client-id and secret with the tenant backend service for machine-to-machine authentication."
I think these are the steps: 1, assign one or more client_ids/secrets for a given tenant 2, the tenant calls the /auth2/token api to get an access token 3, use the access JWT token for API authentication
However, I have to recognize the tenant_id from the client_id, for statistics or fees. I guess the best way is to put a tenant_id field in the access token? But how? Any suggestions?
Upvotes: 0
Views: 854
Answers (1)
Reputation: 815
In Cognito, adding custom attributes to the access token is not supported. We can add custom attributes only to the id_token, not to an access_token.
Which actually make sense based on their intended usages. As stated in Okta documentation:
The ID Token is a security token granted by the OpenID Provider that contains information about an End-User.
Access tokens, on the other hand, are not intended to carry information about the user. They simply allow access to certain defined server resources.
So, the answer is NO, we can not add tenant_id field to the access_token.
Having said that, if you don't have another option and you really really need this to be in the access token, I can provide a hint which I don't recommend:
You can try this with the Pre token generation lambda. Please note that this lambda trigger is mainly intended to customize the id_token claims. However, as stated in the document:
Amazon Cognito ID and access tokens both contain the cognito:groups claim. Your groupOverrideDetails object replaces the cognito:groups claim in access tokens and ID tokens.
So, you should be able to modify the cognito:groups attribute in access token by manipulating groupOverrideDetails object. With that you can try to sneak in tenant_id to cognito:groups array.
NOTE: I don't recommend this as the tenant_id is not a valid group and this can create side effect in the application which can leads to vulnerabilities.
Upvotes: 1
Related Questions
- Derive tenant id for signed in user in OAuth2 based multi-tenant Spring Boot application using Spring Security
- What id_token clain to use for multi-tenant app?
- Use a clientId without a client secret
- Can I set client id manually in AWS Cognito?
- Multi-Tenant Support with AWS cognito service
- Getting Client_id, secret and tenantId for authenticating Microsoft Azure via ansible
- Multi-Tenant Authentication with AWS Cognito
- Cognito Users in Multi Tenant Webapp
- Can I get the tenant ID when an app is deployed on AS
- Pass tenant id via sql server connection