Using Cognito access token to pass claims

Question

I am working on migrating all our users from our DB to a managed service, and we're considering AWS Cognito.

We want to use Cognito for Authentication and Access Control.
For access control, we're thinking about putting the user claims in the access token which is possible using the pre-token generation lambda and using them in the resource servers

The thing is I am not sure that this is the "right way" to do it using OAuth 2.0 and OpenID Connect.

Are we doing it right? is there a better way?

The docs you link to mention updating the *identity* token not the access token. — Sam Sippe, Nov 27 '19 at 06:33

score 1 · Answer 1 · answered Aug 24 '20 at 12:08

Custom attributes are not available in Cognito access token. Currently it is not possible to inject additional claims in Access Token using Pre Token Generation Lambda Trigger as well. PreToken Generation Lambda Trigger allows you to customize identity token(Id Token) claims only.

Using Cognito access token to pass claims

1 Answers1