Amplify Auth.signIn() ClientMetadata not sent to Lambda Trigger

Question

We are moving our auth to Cognito and need to alter the token we get from Cognito. We are using a Pre Token Generation Lambda Trigger to accomplish this. We are also using Amplify's Auth library. However, I can not access the clientMetadata we are sending with Auth.signIn().

On the front-end we simply have:

const user = await Auth.signIn(username, password, { metadataKey: metadataValue });

It appears the request is being sent properly becuase in the Request Payload on the network tab we have:

{
  AuthFlow: ...,
  AuthParameters: ...,
  ClientId: ...,
  ClientMetadata: { metadataKey: metadataValue }
}

In the lambda function I am simply logging the event to the console:

exports.handler = async (event, context, callback) => {
  console.log('Event:', event)
  callback(null, event)
}

In the AWS Cloundwatch logs, the event is logging each time we sign-in from the application (so everything seems to be set up properly), but the event does not include a clientMetadata property as part of the event.request.

So ultimately, everything runs right, no errors or anything like that, we get our tokens back from Cognito, but the clientMetadata is nowhere to be found in the Lambda function, preventing us from performing the necessary logic in the Lambda function to adjust our token.

Links:

• From the signIn Amplify Docs it appears we are calling this properly.
• From the Pre Token Generation Lambda Trigger Docs, it appears the clientMetadata property should exist at event.request.clientMetadata.
• This is a related stackoverflow question, but either I am doing something incorrectly, or AWS changed this, because the individual who asked the question was able to access clientMetadata from Lambda using this same syntax I am using to send it on sign-in.

Any help with this would be tremendously appreciated.

UPDATE:

This seems to be because we are using the authentication flow "USER_PASSWORD_AUTH". This flow is required for smooth user migration which is why we are using it, but it seems to omit the clientMetadata we send.

Answer 1

Try setting the metadata value using Auth.configure before executing Auth.signIn. On one hand, it doesn't look like the sign-in event is a pre-token lambda trigger, which explains why the metadata isn't being passed. I appreciate that this is not especially intuitive. That said, on the other hand and assuming you will need to access the same metadata value when tokens are generated as part of a refresh, you'll likely need to cover additional non-initial-signIn events anyways. Using Auth.configure looks to do the trick for both.