User Pools and Access Tokens

Question

I am hoping to use Cognito and User Pools to support a multitenant environment. So far it checks most of the boxes. It is my understanding that there is no current way to enrich the access token using Lamda triggers. I would really like to pass something to identify which user pool the user authenticated with in the access token to my APIs. Am I missing something or is there a workaround for this?

One option that came to mind is to create a group in each to which all members of the pool are members off that is either the name or combination of the name and tenant id. Is this a reasonable approach or a horrible idea?

Thanks.

One option that came to mind is to create a group in each  to which all members of the pool are members off that is either the name or combination of the name and tenant id. Is this a reasonable approach or a horrible idea?

Thanks.

Answer

Hi,
Currently it is not possible to add custom claims to access-token, if you just want to know which user pool has been used to authenticate the user then you can use the "iss" claim which has the issuer user-pool-id in it, you will need to keep a mapping between user-pool-id and tenant-id in your backend and lookup this mapping in your application when needed.

Having a group that all users belong to is a good idea as well if this allows you to propagate the information you need about tenants without having to keep an external storage, another option is to use usernames that are combination of tenant-id and username, the username gets propagated to access-token as well.

Answer

Seems like you should be able to add claims if you use this lambda hook - https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html

User Pools and Access Tokens

Relevant content