AWS Cognito Change Password JWT IdToken Payload No Longer Contains given_name OR family_name

We are using Cognito for user authentication. The first step in our flow is for the user to reset their password from the temp password Cognito supplies, during this flow we also ask for the given_name and family_name attributes. Here is the request we send to cognito for the password reset challenge Request URL: https://cognito-idp.us-west-2.amazonaws.com/ Request Method: POST Body:

{
  "ChallengeName": "NEW_PASSWORD_REQUIRED",
  "ClientId": "******",
  "ChallengeResponses": {
    "userAttributes.given_name": "John",
    "userAttributes.family_name": "Doe",
    "NEW_PASSWORD": "******",
    "USERNAME": "****"
  },
  "Session": "*********"
}

The response looks something like

{
    "AuthenticationResult": {
        "AccessToken": "****",
        "ExpiresIn": 86400,
        "IdToken": "****",
        "RefreshToken": "****",
        "TokenType": "Bearer"
    },
    "ChallengeParameters": {}
}

We then verify the IdToken and grab the given_name and family_name from the payload and use that to create a user in our database. Our users are now failing to create due to the given_name and family_name user attributes missing from the IdToken.

Previous to April 23rd 1:57am CST, the payload had this structure:

{
    "sub": "****-****-***-***-***",
    "email_verified": true,
   "iss": "https://cognito-idp.us-west-2.amazonaws.com/*****",
   "cognito:username": "****-**-****-****-**********",
    "given_name": "John",
    "origin_jti": "*****-****-****-****-**********",
    "aud": "*********",
    "event_id": "******-****-****-****-**********",
    "token_use": "id",
    "auth_time":  **********,
     "exp": **********,
    "iat": **********,
     "family_name": "Doe",
    "jti": "******-****-****-****-*********",
     "email": "***@*****.com"
   }

Now the payload response in the IdToken does not contain given_name or family_name and has this structure.

{
   "sub": "****-****-***-***-***",
   "email_verified": true,
   "iss": "https://cognito-idp.us-west-2.amazonaws.com/*****",
   "cognito:username": "****-**-****-****-**********",
    "origin_jti": "*****-****-****-****-**********",
    "aud": "*********",
    "event_id": "******-****-****-****-**********",
    "token_use": "id",
    "auth_time":  **********,
     "exp": **********,
    "iat": **********,
    "jti": "******-****-****-****-*********",
     "email": "***@*****.com"
}

After authenticating that user through the USER_PASSWORD_AUTH flow, the IdToken payload does contain given_name and family_name.

Has anyone else ran into this? Did the Cognito team accidentally release a breaking change to the IdToken creation recently? Any ideas or better implementations are welcome. Thanks!

Topics

Security, Identity, & Compliance

Relevant content

Cognito issued JWT does not contain user roles
Accepted Answer
stodorov
asked 9 months ago
How is the right authentication flow using Cognito?
Accepted Answer
Dictyosom
asked 5 months ago
Why is cognito user action password reset, confirm account and delete user disabled in AWS console UI
stephan
asked 10 months ago
AWS ALB Cognito JWT/OIDC authentication
Vishal Goel
asked 2 years ago
How do I reset user passwords in Amazon Cognito using the AWS CLI?
AWS OFFICIALUpdated a year ago
How do I use the forgot password flow in Amazon Cognito?
AWS OFFICIALUpdated a year ago
How do I activate TOTP multi-factor authentication for Amazon Cognito user pools?
AWS OFFICIALUpdated 2 years ago
How do I revoke JWT tokens in Amazon Cognito using the AWS CLI?
AWS OFFICIALUpdated a year ago
How to use JWT tokens for authorization with AWS KMS in NodeJs Lambdas
EXPERT
Antonio_Lagrotteria
published a month ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published a month ago