0

I am using AWS Cognito to conduct authentication. And, I am trying to figure-out if it's possible to remove one of JWT's key, value?

cognito:username

A typical decoded JWT would contain.

{
  "sub": "aaaaaaaa-bbbb-cccc-dddd-example",
  "aud": "xxxxxxxxxxxxexample",
  "email_verified": true,
  "token_use": "id",
  "auth_time": 1500009400,
  "iss": "https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_example",
  "cognito:username": "exampleuser",
  "exp": 1500013000,
  "given_name": "Anaya",
  "iat": 1500009400,
  "email": "exampleuser@example.com"
}

Based here: https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/

I wanted to remove on the accessToken the cognito:username.

Just checking options if it's possible to remove or hide via cognito first, my last option would be using the code, meaning, parse it, then remove, then encode again.

Thanks

Louie Miranda
  • 1,071
  • 1
  • 20
  • 36
  • Does this answer your question? [AWS Cognito: Add custom claim/attribute to JWT access token](https://stackoverflow.com/questions/56970499/aws-cognito-add-custom-claim-attribute-to-jwt-access-token) – hoangdv May 27 '21 at 10:42
  • Actually nope, that is more of adding which I was able to do. We are trying to remove `cognito:username` on the pre-token generator/lambda of cognito, but could not. Right now, trying on the code. – Louie Miranda May 31 '21 at 02:26
  • @LouieMiranda did you resolve this. I am trying to accomplish exactly the same thing. – cool Jun 03 '21 at 18:30
  • 1
    hi @cool not possible based on AWS documentation. Not, unless you remove it on the JWT response and then sign again. – Louie Miranda Jun 15 '21 at 06:25

1 Answers1

0

cognito:username cannot be removed or modified. Ref: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

Valera
  • 537
  • 7
  • 14