Luke Becker
Reputation: 894
AWS Cognito Pre Auth Trigger Error" Unrecognizable lambda output"
I'm trying to suppress the aws.cognito.signin.user.admin scope from being in the access token in certain cases. I am getting the following error
Error authenticating with Cognito: InvalidLambdaResponseException: Unrecognizable lambda output
This is the output of my lambda function with placeholder values for user and pool info
{
"version": "1",
"region": "us-east-2",
"userPoolId": "userpool",
"userName": "id",
"callerContext": {
"awsSdkVersion": "aws-sdk-nodejs-2.1584.0",
"clientId": "clientid"
},
"triggerSource": "PreAuthentication_Authentication",
"request": {
"userAttributes": {
"sub": "10aa03fc-d238-45ca-ab7d-6a86942b76c2",
"cognito:email_alias": "[email protected]",
"cognito:user_status": "CONFIRMED",
"email_verified": "true",
"name": "Blah",
"email": "[email protected]"
},
"validationData": null,
"userNotFound": false
},
"response": {
"claimsAndScopeOverrideDetails": {
"accessTokenGeneration": {
"scopesToAdd": [
"openid"
],
"scopesToSuppress": [
"aws.cognito.signin.user.admin"
]
}
}
}
}
Here is my code
export const handler = function(event: any, context: any) {
console.log('Received event:', JSON.stringify(event));
// Retrieve user attributes from the event request
const userAttributes = event.request.userAttributes;
// Construct the response based on the example structure
event.response = {
"claimsAndScopeOverrideDetails": {
"accessTokenGeneration": {
"claimsToAddOrOverride": {},
"scopesToAdd": userAttributes['cognito:email_alias'] === '[email protected]' ? ['openid'] : [],
"scopesToSuppress": userAttributes['cognito:email_alias'] === '[email protected]' ? ['aws.cognito.signin.user.admin'] : []
},
"groupOverrideDetails": {}
}
};
// Log the constructed response for debugging
console.log('Response:', JSON.stringify(event.response));
// Return to Amazon Cognito
context.done(null, event);
};
Can anyone see what I am doing wrong?
Upvotes: 0
Views: 156
Answers (1)
Luke Becker
Reputation: 894
Nvm, I figured it out. By default, Cognito delivers version 1 of the events. The scopesToSuppress and scopesToAdd aren't available until version 2 of the events. To turn this version on, you have to enable advanced security features which in turn is expensive for just this use case.
Upvotes: 0
Related Questions
- Unrecognizable Lambda Output Cognito
- Can an AWS Lambda function call another
- AWS user-migration Lambda won't create a user in Cognito
- How to pass a querystring or route parameter to AWS Lambda from Amazon API Gateway
- When using the "Pre Token Generation Lambda Trigger Function", how do I set the "claimsToAddOrOverride" to return an array instead of a string
- AWS Cognito username/email login is case-sensitive
- Post Confirmation ConfirmForgotPassword lambda execution returns InvalidLambdaResponseException - Unrecognizable lambda output
- Creating a AWS Cognito PreSignup Lambda in DotNet
- AWS Cognito with ADFS: Issuer doesn't match providerName
- AWS Unrecognizable Lambda Output Cognito error