3

I'm really struggling to add custom roles or groups in the JWT token generated by Cognito. I'm using the Pre-Token generation trigger in Cognito to execute a Lambda. I'm adding the "groupOverrideDetails" object in the response. Here is my final output:

"response": {
        "claimsOverrideDetails": {
            "claimsToAddOrOverride": {
                "custom_attribute_key2": "attribute_value2",
                "custom_attribute_key": "attribute_value"
            }
        },
        "groupOverrideDetails": {
            "groupsToOverride": [
                "developers"
            ],
            "iamRolesToOverride": [
                "S3_Access_Admin"
            ],
            "preferredRole": "S3_Access_Admin"
        }
    }

But in my JWT token, I do not see any above mentioned roles or groups.

  1. Can you please tell me what am I missing?
    1. Secondly, is it important to have "developers" group and "S3_Access_Admin" role to actually exist in AWS? What if I need to add a custom group in AWS?
Shiva Wahi
  • 433
  • 1
  • 5
  • 15
  • Did you select "choose role from token" in Identity pool settings? – Ninad Gaikwad Feb 05 '20 at 07:39
  • Go through the chrome developer console and check in the network tab all the calls made to cognito, check for every call's response that contains the id token for these groups. May be your group info is set but is immediately removed in an another successive call.. – Paramvir Singh Karwal Mar 04 '20 at 17:34

2 Answers2

2

I don't know what validation is done on the groups and roles you add in the claim, but the only thing I see is that you need to nest the groupOverrideDetails inside the claimsOverrideDetails. Here is a snippet I was able to get working.

    role_arns = ...
    event['response'] = {
        'claimsOverrideDetails': {
            'groupOverrideDetails': {
                # we don't need to modify the groups in our case
                'groupsToOverride': request['groupConfiguration']['groupsToOverride'],
                # this will set the claim 'cognito:roles'
                'iamRolesToOverride': role_arns,
                # this will set the claim 'cognito:preferredRole'
                'preferredRole': role_arns[0],
            },
    }
    return event

The following stackoverflow question helped me: AWS Cognito - create groups from ADFS as Cognito Groups

For future reference, here is the aws doc. Scroll down to the section titled Pre Token Generation Example: Modify the User's Group Membership https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

Justin Thomas
  • 283
  • 1
  • 6
0

If you are trying to add custom attrs to access token then, injecting custom attrs to access token is not supported. Normally Pre-Token generation trigger adds them to id token.

Note: if you are using amplify in your frontend you could get the id token as

Amplify.Auth.currentSession()).getAccessToken().getJwtToken()

It worked yesterday.
  • 4,507
  • 11
  • 46
  • 81