1

I'm using a third party provider PingIdentity which is tied into my corporate AD groups. PingIdentity has been configured to send AD groups associated with the user that is logging in. On the AWS side, I'm using Cognito UserPools and I've added PingIdentity as a oauth provider.

Everything works fine from an authentication standpoint, where the issue is -- is I'm trying to get the AD groups that correspond, but when I hit Cognito's endpoint for:

/oauth2/token oauth2/userInfo

I don't see any of the AD groups that are being sent back by PingIndentity. Also I checked the id_token for the user and it's not included in the JWT token when I parse it.

Cognito seems to be doing the authentication on it's end and then generating it's own JWT token and userinfo response back every-time I call the endpoint.

Is there a way to passthrough the AD groups when using Cognito?

gladiator_flow
  • 53
  • 2
  • 7

1 Answers1

0

I don't think it is possible with Cognito, which also does not support custom claims in access tokens.

One option is to proceed as follows, which is how I would solve your problem:

  • Develop a small user service that can return AD groups given a user id or email
  • Integrate a call to the user service into your API's token validation
  • Cache results for subsequent calls with the same token

FURTHER INFO

The main benefit of this pattern is extensibility, without depending on special Authorization Server features. It also keeps tokens small and confidential.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24