Custom attribute not passed into ID_TOKEN created by AWS Cognito

问题

I am not able to get custom attribute in ID_TOKEN returned from AWS Cognito after successful user login.

Steps I tried :

1.Created user pool 2.Created app client and checked the custom attribute(customattrib1,customattrib2)

User Pool screen :

Check custom attribute in app client config

3.Created user using admin-create-user api

Below image shows the value for user attributes:

4.Signed in user using aws-cognito-auth.js in client app.The ID token returned do not contain the custom attribute.

ID_TOKEN

{
  "at_hash": "PKfjYDaiEty5mUOyJZlPQA",
  "sub": "639d5016-2bd3-4c6f-b82d-21ae38071b09",
  "email_verified": true,
  "iss": "https://cognito-idp.ap-south-1.amazonaws.com/ap-south-1_XXXXXXX",
  "phone_number_verified": true,
  "cognito:username": "testuser",
  "aud": "XYXYXYXYX",
  "token_use": "id",
  "auth_time": 1549349674,
  "phone_number": "##########",
  "exp": 1549353274,
  "iat": 1549349674,
  "email": "testuser@somedomain.com"
}

I have already checked links below, which had some info regarding this issue, but nothing helped so far.

Adding Cognito custom attributes post pool creation?

Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider

Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider

https://www.reddit.com/r/aws/comments/a07dwg/cognito_add_custom_attribute_to_jwt_token/

Please help me figure out if I am missing something..

回答1:

• In your Cognito user pool go to General Settings -> App Clients, then for each app client click on Show Details, then Set attribute read and write permissions. Check the checkbox next to your attribute name under Readable Attributes.
• In your Cognito user pool go to App client settings -> Allowed OAuth Scopes and enable profile scope.

回答2:

I had the same trouble and your question came up when I was searching for a solution.

My custom attributes started to appear in ID token when I enabled profile scope in 'App client settings'. (available at: AWS console-> 'User pools'-> click your pool -> 'App client settings' -> 'Allowed OAuth Scopes')

(BTW: I was misled by this sentence from the documentation: "The openid scope returns all user attributes in the ID token that are readable by the client". In my case openid scope was not enough.)

来源：https://stackoverflow.com/questions/54530776/custom-attribute-not-passed-into-id-token-created-by-aws-cognito