Menu
I'm really struggling to add custom roles or groups in the JWT token generated by Cognito. I'm using the Pre-Token generation trigger in Cognito to execute a Lambda. I'm adding the "groupOverrideDetails" object in the response. Here is my final output:
"response": {
"claimsOverrideDetails": {
"claimsToAddOrOverride": {
"custom_attribute_key2": "attribute_value2",
"custom_attribute_key": "attribute_value"
}
},
"groupOverrideDetails": {
"groupsToOverride": [
"developers"
],
"iamRolesToOverride": [
"S3_Access_Admin"
],
"preferredRole": "S3_Access_Admin"
}
}
But in my JWT token, I do not see any above mentioned roles or groups.
247
I don't know what validation is done on the groups and roles you add in the claim, but the only thing I see is that you need to nest the groupOverrideDetails inside the claimsOverrideDetails. Here is a snippet I was able to get working.
role_arns = ...
event['response'] = {
'claimsOverrideDetails': {
'groupOverrideDetails': {
# we don't need to modify the groups in our case
'groupsToOverride': request['groupConfiguration']['groupsToOverride'],
# this will set the claim 'cognito:roles'
'iamRolesToOverride': role_arns,
# this will set the claim 'cognito:preferredRole'
'preferredRole': role_arns[0],
},
}
return event
The following stackoverflow question helped me: AWS Cognito - create groups from ADFS as Cognito Groups
For future reference, here is the aws doc. Scroll down to the section titled Pre Token Generation Example: Modify the User's Group Membership
https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
67
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
