AWS Cognito Change Password JWT IdToken Payload No Longer Contains given_name OR family_name

We are using Cognito for user authentication. The first step in our flow is for the user to reset their password from the temp password Cognito supplies, during this flow we also ask for the given_name and family_name attributes. Here is the request we send to cognito for the password reset challenge Request URL: https://cognito-idp.us-west-2.amazonaws.com/ Request Method: POST Body:

{
  "ChallengeName": "NEW_PASSWORD_REQUIRED",
  "ClientId": "******",
  "ChallengeResponses": {
    "userAttributes.given_name": "John",
    "userAttributes.family_name": "Doe",
    "NEW_PASSWORD": "******",
    "USERNAME": "****"
  },
  "Session": "*********"
}

The response looks something like

{
    "AuthenticationResult": {
        "AccessToken": "****",
        "ExpiresIn": 86400,
        "IdToken": "****",
        "RefreshToken": "****",
        "TokenType": "Bearer"
    },
    "ChallengeParameters": {}
}

We then verify the IdToken and grab the given_name and family_name from the payload and use that to create a user in our database. Our users are now failing to create due to the given_name and family_name user attributes missing from the IdToken.

Previous to April 23rd 1:57am CST, the payload had this structure:

{
    "sub": "****-****-***-***-***",
    "email_verified": true,
   "iss": "https://cognito-idp.us-west-2.amazonaws.com/*****",
   "cognito:username": "****-**-****-****-**********",
    "given_name": "John",
    "origin_jti": "*****-****-****-****-**********",
    "aud": "*********",
    "event_id": "******-****-****-****-**********",
    "token_use": "id",
    "auth_time":  **********,
     "exp": **********,
    "iat": **********,
     "family_name": "Doe",
    "jti": "******-****-****-****-*********",
     "email": "***@*****.com"
   }

Now the payload response in the IdToken does not contain given_name or family_name and has this structure.

{
   "sub": "****-****-***-***-***",
   "email_verified": true,
   "iss": "https://cognito-idp.us-west-2.amazonaws.com/*****",
   "cognito:username": "****-**-****-****-**********",
    "origin_jti": "*****-****-****-****-**********",
    "aud": "*********",
    "event_id": "******-****-****-****-**********",
    "token_use": "id",
    "auth_time":  **********,
     "exp": **********,
    "iat": **********,
    "jti": "******-****-****-****-*********",
     "email": "***@*****.com"
}

After authenticating that user through the USER_PASSWORD_AUTH flow, the IdToken payload does contain given_name and family_name.

Has anyone else ran into this? Did the Cognito team accidentally release a breaking change to the IdToken creation recently? Any ideas or better implementations are welcome. Thanks!

Themen

Sicherheit, Identität & Konformität

Relevanter Inhalt

Welche Auswirkungen hat die Aktivierung der Einstellung „Prevent User Existence Errors“ in Amazon Cognito?
AWS OFFICIALAktualisiert vor einem Jahr
Wie ändere ich die Attribute eines Amazon Cognito-Benutzerpools nach der Erstellung?
AWS OFFICIALAktualisiert vor 2 Jahren
Wie widerrufe ich JWT-Token in Amazon Cognito mit AWS CLI?
AWS OFFICIALAktualisiert vor einem Jahr
Wie setze ich Benutzerpasswörter in Amazon Cognito mithilfe der AWS-CLI zurück?
AWS OFFICIALAktualisiert vor einem Jahr