Custom scopes in access token programmatically #684
Comments
|
Hello @bluetrickpt Currently, specifying custom scopes is only supported via the Oauth client (Cognito Auth SDK) as you have mentioned above. It is not possible to to request custom scopes using the API flow. I will take this as a feature request to the service team. Thanks, |
|
Any updates on this? |
|
Agree that this would be a really useful feature. My team has a use case that requires us to implement a custom auth flow and without being able to have scopes (both built in and custom) in the token we may have to look up the scopes on the app client's resource server at each authorization with a custom auth trigger to verify that the app client has access. Even with that implementation, we can't issues tokens that have are limited to a subset of the allowed scopes. |
|
Hi all, We don't have an update on this issue, but we are communicating your requests to the service team. |
|
This would be very helpful. Is there any plan to address this soon? |
|
Hey, Amplify We too have run into this issue. It's very useful to have custom scopes so that we can have fine-grained Cognito authorizers on our API Gateway resource. Any update would be great. :) -Jay |
|
Any update on this? |
|
Anything? |
|
Any update? |
|
Any updates? |
|
Any updates on this? @minbi @rohandubal |
|
Updates would be much appreciated. |
|
Any updates? |
|
Any Update? |
|
Any update on this? |
|
Please, give any update about this feature. |
|
Also looking for an update on this. |
|
Come on AWS, at least throw us a bone here... |
|
Need this badly |
|
Ditto. Any update will be greatly appreciated. Alternatively if we need to 'vote' for this feature please let us know so we can raise awareness through the product owner's radar. |
|
For now I am adding aws.cognito.signin.user.admin to custom authorizer / oauth scopes. Not a great choice but has allowed me to move forward while still using access tokens... |
|
Looking from someone in the Cognito team to provide an update. The request for custom scope has been pending for almost an year. |
There is a work around you can use in order to get this working. You will have to call same api they call from hosted UI and pass their Token that is set to your browser in the cookies I believe (Sorry I dont remember the name of the cookies, it is on my work computer, but it starts with X I believe). With this youll be able to sent your scopes in the url of the request. |
|
Thanks, I have both the However: id_tokens are meant for the client and access_token for the API. See https://auth0.com/blog/id-token-access-token-what-is-the-difference/ I somehow need to override the default access_token with my claims from the source. Worst case I'm going to have to implement a lambda auth and use that to pull in my id_token with the claims (which is storing authz info such as tenant and role). So while it's not an amplify issue but a cognito issue, the amplify team is taking the heat for this because it's mostly what we're interacting with, by the same company. |
You should not use id token in place of access token, it is bad for security. Also, id token will have missing claims. I believe it won't have username claim as well as scopes I believe |
|
@kkdeveloper7 you can add claims via the PreToken trigger for id tokens. I outlined a solution/workaround in this issue Can you elaborate regarding using of id tokens is bad from a security perspective? |
Generally speaking you can even sent a refresh token in a header that you can later take retrieve access token from and access your protected resource, but it is not recommended to do so because of the security concerns that if someone get a hold of your long living refresh token and will be able to issue them new access tokens. Id token was created to be able to quickly gain current user information. This token dose not have to be secure and can be accessed via client to parse its contents in order to get users information. If you will store secure information in your Id token this mean that the client can access it and read secure claims that mean to be for access token only, such as The point I am trying to make is that, yes passing id token is not as bad as passing refresh token, but it is not recommended since the use for this token is mean for other purposes. Its like trying to eat soup with tea spoon, yes you can get it done but there are better tools for that. There are also scopes that you cant add or modify in lambda one of the is |
|
After 3 days trying to find out why my Amplify token does not work with my proxy API, I figured out the scope issue and landed here. Quite frustrated as I don't want to use hostet UI, I don't know how to continue. Shame on AWS. |
|
It’s not ideal, but we ended up implementing our own endpoint which takes the cognito access token and provides a custom access token. Refresh and Id tokens work as usual. This allowed us to give custom scopes while still using Cognito as the identity provider.
…Sent from my iPhone
On Dec 7, 2021, at 12:28 AM, Andreas Hernitscheck ***@***.***> wrote:
CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.
After 3 days trying to find out why my Amplify token does not work with my proxy API, I figured out the scope issue and landed here.
Quite frustrated as I don't want to use hostet UI, I don't know how to continue. Shame on AWS.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub<#684 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AOPHKY4NGKZAG6LK4MTMZ3TUPWLQHANCNFSM4GT67PSQ>.
Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
That is an article about adding claims to the |
|
+1 I am having this issue. How is Amazon using this to identify users? Are they using an access token or the id token? |
|
I run into this issue even using the hosted ui. I have no way around it that I know of. :/ |
|
Why is there still no news on this? It's incredibly frustrating to see people including me paying money for Cognito and Amplify, yet this critical issue, which affects all Amplify SDKs, continues to be overlooked! |
|
Hello everyone, this is currently a limitation from the Amazon Cognito service, and we are working closely with them to resolve this. We will provide updates on this issue when we have more to share. |
|
Looking forward for a resolution for this issue. |
|
Since we are working with the Cognito team to identity the use cases for how developers would use this, can you please help us with providing us how you would set and also request these custom scopes? We want to make sure the mechanism we expose this in makes sense. |
|
Here is my use-case: I have two Angular web apps integrated with Module Federation. From my investigation, from the Cognito side, you can't have a programmatically generated scoped token, besides then going throw SSO Cognito(Hosted UI) login page. Let me know if you need more details. As on how to query those scopes: I think it's not necessary to query them because they should be returned by default if the SSO is configured, and they are returned but only throw Hosted UI: This is the override of Amplify Auth, configured with SSO. When going to the Hosted UI login - the scoped token is returned. When calling directly the APIs for that native Auth component, they are not. |
Setting and requesting custom scopes is not the issue. This is possible with the current functionality:
What is missing and would add immense value and flexibility is allowing developers to take control over the structure of the
In terms of supporting this, it would make sense to keep consistency with current Cognito functionality and simply provide a pre (or post) (access) token generation trigger similar to the one available for the id token (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html). Note that there are a significant number of claims in the See also #684 (comment) for some context about our use case and the workaround I've implemented to have full control over the structure of the I, of course, don't have the context the Cognito team possesses regarding the architecture, design and implementation of the Cognito service, however, I might be so bold to argue that the uses cases are of less importance and not really relevant in the consideration of what should be a core functionality: allowing developers to have full control over the 🙇 |
|
Thank you @hackmajoris and @jsmpereira so much for the feedback! Exactly the type of insight we needed! We will get back to you when we make more progress with the help of the Cognito team! |
|
@jsmpereira Perhaps I'm misunderstanding the guides, but the custom scopes seemed to be mapped to app clients only? This is fine for app clients but what about users in the pool? It would be nice to a have custom logic when it comes to issuing scopes regardless of the client type. |
|
@AlexMayleRdn From the OP (#684 (comment)):
The issue initially described seems to be a "limitation" with amplify and related SDKs, where unless you used the hosted ui, any custom scopes would not be present in the access token. At this point, 4 years passed I honestly don't know if that issue is addressed. It sparked however a more "generic" discussion about access token customisation. Custom scopes are defined on a Resource Server (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.html). These scopes can then be enabled in app clients. When executing OAuth grants "in the context" of a user pool app client (https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html) you get an An app client is not a client type and it "links" your application to a pool of users. If you want to leverage Cognito to authorize your own API you can do so with Resource Servers and custom scopes, then you can enable the desired custom scopes on your app client. If you have no users to authenticate, you can execute a |
|
I don’t think it currently works as you described @jsmpereira. In my tests the custom scopes are only present in the Access Token if you use the Hosted UI |
|
@tobilg 🙇 That is indeed the issue initially described, as I do mention in #684 (comment):
This however seems to be by design. From the Cognito access token page (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-the-access-token.html):
It does seem that something like Amplify's I also mention in a previous comment #684 (comment):
I make the case on that comment that having a trigger for the Sorry about the ramblings. I'm all over the place 🙇 |
|
I‘m aware of all these things. They have been mentioned years ago in other issues. Current discussion seems to revolve around aws-amplify/amplify-js#3732 (comment) |
|
CHRISTMAS CAME EARLY FRIENDS |
|
Seems to have been fixed on Cognito User Pools: https://aws.amazon.com/about-aws/whats-new/2023/12/amazon-cognito-user-pools-customize-access-tokens/ |
|
Does this mean that api gateway will use access tokens instead of id tokens now? |
|
Well... not exactly. You must turn on advanced security features to use this. This bumps per user price up 800%.... Surely we can get this without needing to opt into every other feature. 
|
|
It looks like they have gotten their act together and sorted this, new better pricing tiers, access tokens incl. |
github-actions
bot
added
the
pending-maintainer-response
tylerjroach
removed
the
pending-maintainer-response
and others
Describe the bug
Impossible to get access tokens with custom scopes without using the hosted web ui. Authentication through the amplify drop-in UI for both Android and iOS -- used in the android-sdk-auth example -- or through cognito auth sdk always returns (the single scope) aws.cognito.signin.user.admin even if it is disabled on the app client settings.
To Reproduce
Steps to reproduce the behavior:
1.Follow the android (or iOS)-sdk-auth example;
2. Create custom scope and enable on app client settings;
3. Sign-in in the app, grab the access token and check the scopes in jwt.io
Which AWS service(s) are affected?
AWS Cognito (in all SDKs) and AWS API Gateway
Expected behavior
Access token should return custom scope(s), regardless of using the web ui.
Screenshots
Environment(please complete the following information):
Device Information (please complete the following information):
Additional context
Our use case:
We have native apps (both Android and iOS) trying to authenticate end-users in a user pool. Our API Gateway resources are scoped (none including aws.cognito.signin.user.admin scope). We want to use implicit grant as we don't want to distribute the application with the client secret in its package as that would be stored in plain text. We'd rather not use the hosted web ui for improved user experience, specially since everything we have is native. We do understand the implications of not using the web ui, as well as not using the authorization code flow. Thus, the solution would be to use the cognito auth sdk, which we believe that it doesn't support implicit grant.
We might be approaching this the wrong way, any guidance would also be highly appreciated.
Unsolved related issues throughout the different SDKs:
[Amplify JS] - Access Token does not have required scopes (Http - 400)
[Amplify JS] - How do I use amazon-cognito-identity-js to get scopes in the access_token?
[Amplify iOS] - Feature Request: Cognito "InitiaateAuth" request allowed custom "scopes" in AccessToken
[Amplify Android] - Feature Request: Cognito "InitiateAuth" request allowed custom "scopes" in AccessToken
The text was updated successfully, but these errors were encountered: