I am trying to implement a custom access token solution using Cognito. I have a custom pre-token trigger from where I can add arbitrary claims into the issued tokens. However, I need to be able to decide based on user input, which claims to insert into the token. Specifically, I am trying to implement switch-account functionality by re-authenticating the user and giving them a fresh credential. However, I don't see any mechanism to pass the user selection via the login UI or through the InitiateAuth API in a way that is accessible to the pre-token generation Lambda. Am I missing something obvious?
I cannot use resource servers or custom scopes here, as the number of accounts is potentially as large as the number of users. This needs to be a dynamic claim for this approach to work. E.g. I want to be able to do something like this:
export async function handler(event: PreTokenGenerationV2TriggerEvent) {
const userAccountSelection = extractFromEvent(event);
// custom validation logic to ensure this user is permitted to access the selected account ...
event.response.claimsAndScopeOverrideDetails = {
accessTokenGeneration: {
claimsToAddOrOverride: {
account_id: `account:${userAccountSelection}`,
},
},
};
}