问题
I'm using AWS cognito with a NodeJS backend API and want to include user details in the access token return from /oauth2/token end point with scopes defined in the user pool client app.
Also if I use adminInitiateAuth API, there is no way to include the scopes in the return access token. So is it possible to have both user details and scopes in a one access token?
回答1:
Amazon Cognito returns multiple tokens uppon succesful autehntication : an ID token, an Access Token, and optionaly a Refresh Token.
Question 1 : user details in Token
The ID Token contains the some PII details, such as the use name and email address.
https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
When using AWS amplify, you can use Auth.currentAuthenticatedUser() to retrieve user details from Cognito
https://aws-amplify.github.io/docs/js/authentication
Question 2 : adminInitiateAuth
This is currently not supported https://github.com/aws-amplify/aws-sdk-android/issues/477
回答2:
Cognito does not support custom claims in access tokens, which I think is a really good design choice.
You can manage extra / custom data fairly easily in your APIs and UIs in a much more extensible manner via claims caching: https://authguidance.com/2017/10/03/api-tokens-claims/
There is a node sample of mine that does this here: https://github.com/gary-archer/authguidance.websample2
It is a pattern often implemented by API gateways, such as AWS: https://authguidance.com/2018/12/16/serverless-api-deployment/
来源:https://stackoverflow.com/questions/57168057/include-user-details-in-aws-cognito-oauth2-token