Customize Access Tokens in Amazon Cognito User Pools

Overview

Effortlessly integrate user authentication and access control in mere minutes. This comprehensive guide delves into the process of customizing access tokens within Amazon Cognito user pools, using AWS Lambda for dynamic authentication. It highlights the benefits of tailored access tokens for web and mobile applications, offering a step-by-step approach to enhance user experience and security.

Introduction

Enhance your user pool’s authentication process and user experience using AWS Lambda functions in Amazon Cognito. This blog post explores the intricate process of leveraging two pivotal AWS services, Amazon Cognito and AWS Lambda, to customize access tokens, offering enhanced security and a personalized user experience.

By integrating these services, developers can dynamically modify authentication tokens, ensuring that applications meet diverse security requirements and provide a tailored access strategy for each user.

Through detailed examples and practical steps, we will uncover how to harness the full potential of Amazon Cognito’s advanced security features and AWS Lambda’s flexible computing power to create a robust and customized user authentication process.

Pioneers in Cloud Consulting & Migration Services

Reduced infrastructural costs
Accelerated application deployment

Get Started

AWS Lambda trigger flow

Enhance and personalize your tokens by opting for Amazon Cognito to trigger a pre-token generation process during user authentication.

A user logs into your application and undergoes authentication via an Amazon Cognito user pool.
Once authentication is completed, Amazon Cognito initiates the pre-token generation Lambda trigger. This process involves sending relevant event data, like userAttributes and scopes, to your Lambda function as part of a pre token generation event.
Your AWS Lambda function code executes token enrichment logic and then sends a response event back to Amazon Cognito, specifying the claims you wish to include or exclude.
Amazon Cognito provides your application with a personalized JSON Web Token (JWT).

The pre-token generation trigger flow accommodates OAuth 2.0 grant types, including authorization code grant flow and implicit grant flow. It also supports user authentication through the AWS SDK.

Activate Access Token Customization

Amazon Cognito user pools provide two pre-token generation trigger event versions for AWS Lambda functions. Version 1 includes userAttributes, groupConfiguration, and clientMetadata for customizing ID token claims. Version 2 adds scope for customizing access token scopes and other claims. This section will guide you on enabling event version 2 for access token customization in your user pool.

This section will guide you through configuring your user pool to trigger event version 2, enabling access token customization.

To enable access token customization:

Access the Amazon Cognito user pool console and select “User pools.”
Select the specific user pool for which you want to customize tokens.
Navigate to the “User pool properties” tab, and in the “Lambda triggers” section, click “Add Lambda trigger.”

step3

Within the “Lambda triggers” section, follow these steps:
- Choose “Authentication” as the Trigger type.
- Select “Pre token generation trigger” for the Authentication option.
- Choose “Basic features + access token customization – Recommended” for the Trigger event version. Ensure that you have advanced security features enabled if this option is not available to you, as it’s required for access to this choice.

step4

Choose your AWS Lambda function and designate it as the pre-token generation trigger. Afterward, click on “Add Lambda trigger.”

step5

Sample Pre-Token Generation Trigger

Having enabled access token customization, this blog will guide you through a code example of the pre token generation Lambda trigger, specifically version 2. This code examines the trigger event request and adds a custom claim and OAuth scope to the response. Amazon Cognito utilizes this to customize the access token to accommodate various authorization requirements. In this example, the event request includes user attributes, original scope claims, and group configurations. It also features two custom attributes—membership and location- collected during user registration and stored in the Cognito user pool.

{
  "version": "2",
  "triggerSource": "TokenGeneration_HostedAuth",
  "region": "us-east-1",
  "userPoolId": "us-east-1_01EXAMPLE",
  "userName": "mytestuser",
  "callerContext": {
    "awsSdkVersion": "aws-sdk-unknown-unknown",
    "clientId": "1example23456789"
  },
  "request": {
    "userAttributes": {
      "sub": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
      "cognito:user_status": "CONFIRMED",
      "email": "my-test-user@example.com",
      "email_verified": "true",
      "custom:membership": "Premium",
      "custom:location": "USA"
    },
    "groupConfiguration": {
      "groupsToOverride": [],
      "iamRolesToOverride": [],
      "preferredRole": null
    },
    "scopes": [
      "openid",
      "profile",
      "email"
    ]
  },
  "response": {
    "claimsAndScopeOverrideDetails": null
  }
}

{

"version": "2",

"triggerSource": "TokenGeneration_HostedAuth",

"region": "us-east-1",

"userPoolId": "us-east-1_01EXAMPLE",

"userName": "mytestuser",

"callerContext": {

"awsSdkVersion": "aws-sdk-unknown-unknown",

"clientId": "1example23456789"

"request": {

"userAttributes": {

"sub": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",

"cognito:user_status": "CONFIRMED",

"email": "my-test-user@example.com",

"email_verified": "true",

"custom:membership": "Premium",

"custom:location": "USA"

"groupConfiguration": {

"groupsToOverride": [],

"iamRolesToOverride": [],

"preferredRole": null

"scopes": [

"openid",

"profile",

"email"

]

"response": {

"claimsAndScopeOverrideDetails": null

}

The user’s location and membership attributes are transformed to create a custom claim and scope in the code example provided. This is achieved by using the claimsToAddOrOverride field to generate a new custom claim named demo:membershipLevel with a value of Premium sourced from the event request. Additionally, a new scope, membership:USA.Premium, is created via the scopesToAdd claim. Both the new claim and scope are then included in the event response.

// Java Script
export const handler = function(event, context) {
  // Retrieve user attribute from event request
  const userAttributes = event.request.userAttributes;
  // Add scope to event response
  event.response = {
    "claimsAndScopeOverrideDetails": {
      "idTokenGeneration": {},
      "accessTokenGeneration": {
        "claimsToAddOrOverride": {
          "demo:membershipLevel": userAttributes['custom:membership']
        },
        "scopesToAdd": ["membership:" + userAttributes['custom:location'] + "." + userAttributes['custom:membership']]
      }
    }
  };
  // Return to Amazon Cognito
  context.done(null, event);
}

// Java Script

export const handler = function(event, context) {

// Retrieve user attribute from event request

const userAttributes = event.request.userAttributes;

// Add scope to event response

event.response = {

"claimsAndScopeOverrideDetails": {

"idTokenGeneration": {},

"accessTokenGeneration": {

"claimsToAddOrOverride": {

"demo:membershipLevel": userAttributes['custom:membership']

"scopesToAdd": ["membership:" + userAttributes['custom:location'] + "." + userAttributes['custom:membership']]

}

};

// Return to Amazon Cognito

context.done(null, event);

}

The AWS Lambda trigger sends the response to Amazon Cognito, indicating the necessary customizations for the access tokens. In this case, it communicates the addition of a custom claim called “demo:membershipLevel” with the value “Premium” and the creation of a new scope “membership:USA.Premium” to be incorporated into the access tokens.

"response": {
  "claimsAndScopeOverrideDetails": {
    "idTokenGeneration": {},
    "accessTokenGeneration": {
      "claimsToAddOrOverride": {
        "demo:membershipLevel": "Premium"
      },
      "scopesToAdd": [
        "membership:USA.Premium"
      ]
    }
  }
}

"response": {

"claimsAndScopeOverrideDetails": {

"idTokenGeneration": {},

"accessTokenGeneration": {

"claimsToAddOrOverride": {

"demo:membershipLevel": "Premium"

"scopesToAdd": [

"membership:USA.Premium"

]

}

Following the described customizations, Amazon Cognito issues tokens with these modifications during runtime, enhancing access and authorization capabilities based on the added custom claim and scope.

{
  "sub": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_01EXAMPLE",
  "version": 2,
  "client_id": "1example23456789",
  "event_id": "01faa385-562d-4730-8c3b-458e5c8f537b",
  "token_use": "access",
  "demo:membershipLevel": "Premium",
  "scope": "openid profile email membership:USA.Premium",
  "auth_time": 1702270800,
  "exp": 1702271100,
  "iat": 1702270800,
  "jti": "d903dcdf-8c73-45e3-bf44-51bf7c395e06",
  "username": "mytestuser"
}

{

"sub": "a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",

"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_01EXAMPLE",

"version": 2,

"client_id": "1example23456789",

"event_id": "01faa385-562d-4730-8c3b-458e5c8f537b",

"token_use": "access",

"demo:membershipLevel": "Premium",

"scope": "openid profile email membership:USA.Premium",

"auth_time": 1702270800,

"exp": 1702271100,

"iat": 1702270800,

"jti": "d903dcdf-8c73-45e3-bf44-51bf7c395e06",

"username": "mytestuser"

}

Your application can now utilize the newly added custom scope and claim to authorize users and deliver a personalized experience.

Be aware of limits

When dealing with tokens transmitted across diverse networks and systems, it’s crucial to consider potential size limitations. To ensure smooth token processing, keep the scope and claim names concise while retaining their descriptive nature. This approach helps minimize the risk of encountering size-related issues within your systems.

Conclusion

In this guide, you’ve gained insights into integrating a pre-token generation AWS Lambda trigger with your Amazon Cognito user pool to tailor access tokens. This customization feature empowers you to offer personalized services to end-users, leveraging claims and OAuth scopes. For additional details, refer to the “pre-token generation Lambda trigger” section in the Amazon Cognito Developer Guide.

Drop a query if you have any questions regarding Amazon Cognito User Pool and we will get back to you quickly.

Making IT Networks Enterprise-ready – Cloud Management Services

Accelerated cloud migration
End-to-end view of the cloud environment

Get Started

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.

FAQs

1. What is the purpose of customizing access tokens in Amazon Cognito?

ANS: – Customizing access tokens in Amazon Cognito allows you to tailor the tokens to suit your application’s specific authorization needs. This customization enables you to provide differentiated services to end-users based on claims and OAuth scopes.

2. Are there any limitations when customizing access tokens?

ANS: – Yes, when customizing access tokens, it’s important to keep the scope and claim names as short as possible while still being descriptive. This helps prevent potential token size limitations, ensuring smooth token processing as they traverse various networks and systems.

WRITTEN BY Naman Jain

Naman works as a Research Intern at CloudThat. With a deep passion for Cloud Technology, Naman is committed to staying at the forefront of advancements in the field. Throughout his time at CloudThat, Naman has demonstrated a keen understanding of cloud computing and security, leveraging his knowledge to help clients optimize their cloud infrastructure and protect their data. His expertise in AWS Cloud and security has made him an invaluable team member, and he is constantly learning and refining his skills to stay up to date with the latest trends and technologies.