How do I get OIDC or social identity provider–issued tokens after integrating the identity provider with Amazon Cognito?

Last updated: 2023-01-23

I want to get the access and ID tokens issued by my identity provider (IdP) that's integrated with Amazon Cognito user pools.

Short description

In the OpenID Connect (OIDC) IdP authentication flow, Amazon Cognito exchanges the IdP-issued authorization code with IdP tokens. Amazon Cognito then prepares its own set of tokens and returns them to the end user after successful federation. However, this process doesn't allow the user or application to see the actual IdP side tokens. Some use cases might require the actual IdP-issued tokens within the application for authorization or troubleshooting purposes. To capture and store IdP-issued access and ID tokens when you federate into Amazon Cognito user pools, follow the steps in the Resolution section.

Important: The steps in this article assume that you already integrated OIDC IdP or social IdP with Amazon Cognito user pools. If you didn't integrate an IdP with your user pool, then follow the steps for adding a user pool sign-in through a third party.

Resolution

Create a custom attribute in a user pool

Follow these steps to create a custom attribute in your user pool:

1.    Open the new Amazon Cognito console, and then choose the Sign-up Experience tab in your user pool.

2.    Under the Custom Attributes section, select the Add custom attributes button.

3.    To create a custom attribute for an access token, enter the following values, and then save the changes.

  • Name: access_token
  • Type: String
  • Max: 2,048
  • Mutable: Select this check box

4.    To create a custom attribute for an ID token, enter the following values, and then save the changes.

  • Name: id_token
  • Type: String
  • Max: 2,048
  • Mutable: Select this check box

Configure attribute mapping between Amazon Cognito and your IdP

Follow these steps to configure attribute mapping to IdP attributes:

1.    Open the new Amazon Cognito console, and then choose the Sign-in Experience tab in your user pool.

2.    Under the Federated Identity Provider sign-in section, select your IdP from the list.

3.    Choose the Edit option near the Identity provider information section. Make sure that the following scopes are present in the Authorized scopes section:

  • Facebook example scopes: public_profile, email
  • Google example scopes: profile email openid
  • Login with Amazon example scopes: profile postal_code
  • Sign in with Apple example scopes: email name
  • All other OIDC providers example scopes: profile email openid

4.    Go one step back to the Identity provider page. Choose Edit near the Attribute mapping section.

5.    From the User pool attribute column, select the custom attribute that you created in the beginning.

6.    From the OpenID Connect attribute column, select access_token or id_token, depending on the type of token to be mapped. Then, save your changes.

Example results of configuring attribute mapping:

User pool attribute: custom:id_token
OpenID Connect attribute: id_token

User pool attribute: custom:access_token
OpenID Connect attribute: access_token

Turn on attribute read and write permissions in your Amazon Cognito app client

When a user signs in to the application, Amazon Cognito updates the mapped attributes. For Amazon Cognito to update the mapped user pool attributes, the mapped attributes must be writable in your application's app client settings. For Amazon Cognito to update the user's ID token, the attributes must be readable in your application's app client settings.

1.    Open the new Amazon Cognito console, and then choose the App integration tab in your user pool.

2.    Select your app client from the list of app clients.

3.    In the Attribute read and write permissions section, choose Edit.

4.    On the Edit attribute read and write permissions page, select the read and write check boxes for your custom attributes.

5.    Save the changes.

Repeat these steps for each app client that uses the custom attribute.

For more information, see User pool attributes and go to the Attribute permissions and scopes tab.

Sign in using the third-party OIDC provider or social IdP

When you perform a new IdP authentication through the Amazon Cognito Hosted UI, you can see the IdP tokens in the custom attributes. Choose an appropriate user to see the IdP tokens in their attributes. Decoding the ID token also provides you with the custom attributes that contain IdP tokens.

Sample payload section of the ID token issued to the end user:

{
    "custom:access_token": "ya29.a0AeTM1ic9iv_FqpDQeIN......w1OPKdFEbR_Tea",
    "iss": "https://cognito-idp.example_region.amazonaws.com/example_user_pool_id",
    "custom:id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhjMjdkYjRkMTN............saDMuZ29vZ2xldXNlcmNv"
}

When creating custom attributes, keep the following points in mind:

  • The maximum length for any custom attribute is 2,048 characters. When an IdP token exceeds 2,048 characters, you receive the following error: "String attributes cannot have a length of more than 2048".
  • You can't remove or modify a custom attribute after its creation.
  • If the custom attribute isn't being updated in subsequent sign-ins, then check the mutability of the custom attribute. This issue is expected after you clear the Mutable check box when creating the attribute. To learn more, see User pool attributes and go to the Custom attributes tab.

Note: If you still can't get an IdP token after following the preceding steps, then contact your IdP. Ask whether the IdP supports passing the tokens within attributes to Amazon Cognito. After you confirm, you can reach out to AWS Support for additional troubleshooting.