AWS Cognito External User Pool Identity Provider(OIDC)

Question

I'm using Cognito App Client integration with external provider(Twitch) User authentication works fine, but as code from auth server is consumed by Cognito, I'm not sure how should I send Twitch requests with token, which I'd normally get from twitch I Cognito wouldn't consume this code. I only have Cognito code, which I can use in https://{my-domain}/oauth2/token requests in exchange for Cognito tokens. request returns id_token, access_token and refresh_token, which decoded look like id token

{
  "at_hash": "yTNkeTAqzqcXCYi3yLL2Pw",
  "sub": "3cfba641-4058-475f-9818-17291175fd31",
  "cognito:groups": [
    "us-east-1_xxxxxxxxxxxx"
  ],
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
  "cognito:username": "xxxxxxxxxxxx",
  "preferred_username": "xxxxxxxxxxxx",
  "nonce": "SxxlipCDVbXbcXa1H7Uf9_nM0uOurAAObUVCyreBDDux99QoAngUoiGdE0me-0Zon6fEVLLTSqD4EN1Y6_lFm48MaoBaxyywZCQKOT70gfQEfkuhlsjImJd1ko3qH3QKdlmvWSPCUZoACPYNSgR364VPELyQTVMkRTCt9eYROag",
  "aud": "35l1cn53cnj9sv1ndu8u01amk0",
  "identities": [
    {
      "userId": "xxxxxxxxxxxx",
      "providerName": "xxxxxxxxxxxx",
      "providerType": "OIDC",
      "issuer": null,
      "primary": "true",
      "dateCreated": "1588191000072"
    }
  ],
  "token_use": "id",
  "auth_time": 1588191003,
  "exp": 1588194603,
  "iat": 1588191003
}

access token

{
  "sub": "3cfba641-4058-475f-9818-17291175fd31",
  "cognito:groups": [
    "us-east-1_xxxxxxxxxxxx"
  ],
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin phone openid profile email",
  "auth_time": 1588191003,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
  "exp": 1588194603,
  "iat": 1588191003,
  "version": 2,
  "jti": "55863213-c764-4b07-a386-a9c93d14e4b2",
  "client_id": "xxxxxxxxxxxx",
  "username": "xxxxxxxxxxxx"
}

How can I get user token to call Twitch API (for example GET https://api.twitch.tv/helix/users endpoint with authorized user's token)

Answer 1

CAUTION - Doing it incorrectly, you expose sensitive attributes to client.

You need to create 2 versions of attributes - custom and dev:custom, map oidc provider attributes to custom ones (looks like dev:custom aren't mappable), then in TokenGeneration_HostedAuth trigger you need to get these custom attributes, set dev:custom ones, then delete customs.

Seems like a tweak, but I don't see another way of doing it and keeping tokens safe.

Solution for that is to create custom attributes in your user pool, then map these attributes for identity provider. Looks something like:

'custom:refresh_token': refresh_token
'custom:id_token': id_token
'custom:access_token': access_token

Cloudformation template for that:

user pool

....
Schema: [
    {
        AttributeDataType: 'String',
        DeveloperOnlyAttribute: true,
        Mutable: true,
        Name: 'refresh_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        DeveloperOnlyAttribute: true,
        Mutable: true,
        Name: 'access_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        DeveloperOnlyAttribute: true,
        Mutable: true,
        Name: 'id_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        Mutable: true,
        Name: 'refresh_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        Mutable: true,
        Name: 'access_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        Mutable: true,
        Name: 'id_token',
        Required: false,
    },
],
....

user pool identity provider

....
AttributeMapping: {
    'custom:refresh_token': 'refresh_token',
    'custom:access_token': 'access_token',
    'custom:id_token': 'id_token',
},
....