Can I use Cognito Access Token to generate an ID Token?
Question
Is it possible to use the Cognito Access Token to generate an ID Token? I couldn't find any documentation on this online.
I'm trying to get an ID Token with custom claims, but the existing solutions don't work for my situation ( details here ). As a workaround, I'm thinking of manually asking Cognito for an ID Token directly with the Access Token after the user logs in.
What I tried
- calling Cognito's
/oauth2/userinfoendpoint only returns the basic claims, not the custom claims I had added via thepre token generationlambda trigger. - Adding custom claims/attributes to the access token. Seems like that's not supported.
- Idea I haven't explored: use Amplify and somehow get ID Token through there?
2 answers
solution1
1 2021-03-23 08:47:52
You can use your access token to call the getUser method on the Cognito API: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html That will provide the user attributes: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
This provides the same data as you get on the ID token.
solution2
0 2021-05-03 01:47:03
No.
If you need attributes inside an ID token, excluding open id claims such as exp, iss, aud, then maybe it's possible.
But if you need ID token (compliant with OIDC standard claims), then it is only issued by cognito upon specific cognito events.
The purpose of the ID token is to identify the user. ID token is often sent along the Authorisation header of a request to the backend server to be validated as a security measure. Knowing the purpose of the ID token, it will not be strange to understand why there are only specific ways to obtain the ID token.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.