Ceate custom fields for app client in AWS Cognito user pool and use it in Lambda function

Question

We are migrating our infrastructure into AWS. We are developing a backend layer as Lambda functions and will host it behind API Gateway. We are using client credentials flow and authenticating the client using client id - secret. After we send a token request to Oauth in Cognito it returns an access token and we are using this token to access REST Services hosted by API Gateway.

So, we need to differentiate the owner of the request for two purposes; -First, we want to audit inputs and outputs along with the name of the organization (one organization might have different app clients) -Second, we might need to have different behaviour in the lambda functions according to the name of the organizations. We want to use client credential flow to make accessing APIs easier.

I thought I can add custom fields and use the fields in the JWT access token, however, this answer says it is impossible. -> https://stackoverflow.com/a/62382001

Is there any suggestion to differentiate users in Lambda functions according to the information we can add in cognito side. (I am planning this field will belong to app-client) Or is there any way to differentiate users in API Gateway and send the information to Lambda functions?

If there is any non-clear part of my questions please write me that and I can clarify. Thanks in advance.

Ihsan

Have you tried using the identity tokens? They have the custom attributes that you define for a user (and configure to be included). — stijndepestel, Aug 25 '21 at 07:05
when I use ID token I cannot use client credentials flow. In case of ID Token usage; There should be more than one requests before accessing an Rest API. First get the Id token -> send second request to get access token. In client credentials flow we just send client id and secret key and get access token. — İhsan Akin, Aug 25 '21 at 07:22
That is because the client credentials flow is created for machine-to-machine authentication. So there is no user identity at all in that flow. — stijndepestel, Aug 25 '21 at 09:44

score 0 · Answer 1 · answered Aug 25 '21 at 09:48

We are using user-pool as api gateway authorizer. This is what I use when I want to see the user who made the request to the Api Gateway (rest-api) in lambda function:

event.requestContext.authorizer.claims

event.requestContext.authorizer is like this :

"authorizer": {
            "claims": {
                "sub": "xxx",
                "email_verified": "false",
                "iss": "https://cognito-idp.eu-central-1.amazonaws.com/xxxx",
                "cognito:username": "my_username",
                "given_name": "my_given_name_property",
                "aud": "xxx",
                "event_id": "xxx",
                "token_use": "id",
                "auth_time": "xxx",
                "custom:orgId": "my_custom_field",
                "exp": "Thu Aug 05 19:35:48 UTC 2021",
                "iat": "Thu Aug 05 07:35:48 UTC 2021",
                "email": "xxx@gmail.com"
            }
        },

which authentication flow you are using? In this case you are not using client-id and secret key right? In order to access this information, the user first passes through a login page then you can access its email other custom fields you defined in cognito management console. — İhsan Akin, Aug 25 '21 at 12:38

Ceate custom fields for app client in AWS Cognito user pool and use it in Lambda function

1 Answers1

Linked