7

Is it possible to use the Cognito Access Token to generate an ID Token? I couldn't find any documentation on this online.

I'm trying to get an ID Token with custom claims, but the existing solutions don't work for my situation (details here). As a workaround, I'm thinking of manually asking Cognito for an ID Token directly with the Access Token after the user logs in.

What I tried

  • calling Cognito's /oauth2/userinfo endpoint only returns the basic claims, not the custom claims I had added via the pre token generation lambda trigger.
  • Adding custom claims/attributes to the access token. Seems like that's not supported.
  • Idea I haven't explored: use Amplify and somehow get ID Token through there?
tbd_
  • 1,058
  • 1
  • 16
  • 39

2 Answers2

2

You can use your access token to call the getUser method on the Cognito API: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html That will provide the user attributes: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html

This provides the same data as you get on the ID token.

F_SO_K
  • 13,640
  • 5
  • 54
  • 83
  • Thanks for the reference! Seems like this is the Cognito SDK (Amplify JS being one of them) - is that what you were referring to? – tbd_ Mar 25 '21 at 20:09
  • Cognito SDK is a javascript library, you can import it in one line. Amplify is a whole set of tools and services that you can use for mobile development. – F_SO_K Mar 26 '21 at 08:49
  • Using the Cognito SDK would be the obvious option, its the easiest way to access the Cognito API, but its not required. – F_SO_K Mar 26 '21 at 08:51
0

No.

If you need attributes inside an ID token, excluding open id claims such as exp, iss, aud, then maybe it's possible.

But if you need ID token (compliant with OIDC standard claims), then it is only issued by cognito upon specific cognito events.

The purpose of the ID token is to identify the user. ID token is often sent along the Authorisation header of a request to the backend server to be validated as a security measure. Knowing the purpose of the ID token, it will not be strange to understand why there are only specific ways to obtain the ID token.

kayuapi_my
  • 498
  • 1
  • 6
  • 9
  • 1
    Isn't it ill-advised to send the ID token in the Authorization header? Doing some research on this that seems to be the case. https://oauth.net/id-tokens-vs-access-tokens/ You can call cognito's GetUser to get claims stored in the UserPool. Unfortunately, if you're using a pre-token-generation lambda, you won't be able to get to any of the injected claims. I think if you needed to do this, you'd have to send the ID token in a different header (x-something-id) but then you'd be responsible for validating the signature, and revocation would likely not work. – wz2b Feb 10 '23 at 03:14