How do I get IdP-issued OIDC or social identity tokens for Amazon Cognito user pools?

5 minute read
0

I want to learn how to get the access and ID tokens issued by the identity provider (IdP) that I integrated with Amazon Cognito user pools for authorization or troubleshooting purposes.

Short description

The OpenID Connect (OIDC) IdP authentication flow doesn't allow the user or application to see the IdP-side tokens. For authorization or troubleshooting purposes, some use cases require the actual IdP-issued tokens within the application.

Important: The following resolution assumes that you integrated OIDC IdP or social IdP with Amazon Cognito user pools. If you didn't integrate an IdP with your user pool, then add a user pool sign-in through a third party.

Resolution

Create a custom attribute in a user pool

To create a custom attribute in your user pool, complete the following steps:

  1. Open the new Amazon Cognito console, and then choose the Sign-up Experience tab in your user pool.
  2. Under the Custom Attributes section, choose Add custom attributes.
  3. To create a custom attribute for an access token, enter the following values:
    Name: access_token
    Type: String
    Max: 2,048
    Mutable: Select this check box
  4. Choose Save.
  5. To create a custom attribute for an ID token, enter the following values:
    Name: id_token
    Type: String
    Max: 2,048
    Mutable: Select this check box
  6. Choose Save.

Configure attribute mapping between Amazon Cognito and your IdP

To configure attribute mapping to IdP attributes, complete the following steps:

  1. Open the new Amazon Cognito console, and then choose the Sign-in Experience tab in your user pool.
  2. Under the Federated Identity Provider sign-in section, select your IdP from the list.
  3. In the Identity provider information section, choose Edit. Make sure that the following scopes are in the Authorized scopes section:
    Facebook: public_profile, email
    Google: profile email openid
    Login with Amazon: profile postal_code
    Sign in with Apple: email name
    All other OIDC providers: profile email openid
  4. On the Identity provider page, choose Edit in the Attribute mapping section.
  5. From the User pool attribute column, select your custom attribute.
  6. From the OpenID Connect attribute column, select access_token or id_token.
  7. Choose Save.

The following are the results of attribute mapping configuration:

  • User pool attribute: custom:id_token
  • OpenID Connect attribute: id_token
  • User pool attribute: custom:access_token
  • OpenID Connect attribute: access_token

Turn on attribute read and write permissions in your Amazon Cognito app client

When a user signs in to the application, Amazon Cognito updates the mapped attributes. For Amazon Cognito to update the mapped user pool attributes, the mapped attributes must be writable in your application's app client settings. For Amazon Cognito to update the user's ID token, the attributes must be readable in your application's app client settings.

To turn on read and write permissions, complete the following steps:

  1. Open the new Amazon Cognito console, and then choose the App integration tab in your user pool.
  2. Select your app client.
  3. In the Attribute read and write permissions section, choose Edit.
  4. On the Edit attribute read and write permissions page, select the read and write check boxes for your custom attributes.
  5. Choose Save.

Repeat these steps for each app client that uses the custom attribute.

For more information, see Attribute permissions and scopes.

Use the third-party OIDC provider or social IdP to sign in

When you perform a new IdP authentication through the Amazon Cognito Hosted UI, you can see the IdP tokens in the custom attributes. Choose an end user to see the IdP tokens in their attributes. When you decode the ID token, you also see the custom attributes that contain IdP tokens.

Example payload section of the ID token that's issued to the end user:

{
   "custom:access_token": "ya29.a0AeTM1ic9iv_FqpDQeIN......w1OPKdFEbR_Tea",
   "iss": "https://cognito-idp.example_region.amazonaws.com/example_user_pool_id",
   "custom:id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhjMjdkYjRkMTN............saDMuZ29vZ2xldXNlcmNv"
}

Important:

  • The maximum length for any custom attribute is 2,048 characters. When an IdP token exceeds 2,048 characters, you receive the following error: "String attributes cannot have a length of more than 2048".
  • You can't remove or modify a custom attribute after you create it.
  • If the custom attribute isn't updated in subsequent sign ins, then check the mutability of the custom attribute. This issue is expected after you clear the Mutable check box when you create the attribute. To learn more, see Custom attributes.

Note: If you still can't get an IdP token, then contact your IdP. Check whether the IdP supports the passage of tokens that have attributes to Amazon Cognito. Then, contact AWS Support for additional troubleshooting.

Related information

How do I set up Auth0 as an OIDC provider in an Amazon Cognito user pool?

How do I set up LinkedIn as a social identity provider in an Amazon Cognito user pool?

How do I set up Okta as an OpenID Connect identity provider in an Amazon Cognito user pool?

How do I set up Google as a federated identity provider in an Amazon Cognito user pool?

How to view a SAML response in your browser for troubleshooting

AWS OFFICIAL
AWS OFFICIALUpdated 10 months ago
7 Comments

Hi!

Thank you for this tutorial! This allows us having to avoid creating custom attributes that could grow stale over time. Is there an equivalent solution for SAML? We'd like to be able read all attributes returned from a SAML response.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

What is AWS recommendation when the access_token from the IdP is too long?

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied a year ago

Any update on the question above? What is AWS recommendation when the access_token from the IdP is too long? The external IDP is firm on keeping the existing settings with access_token greater than 2048 but we do need access to the token.

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied 10 months ago

Any updates on the question above about acess_token length greater than 2048?

replied 9 months ago