aws-sdk-android
aws-sdk-android copied to clipboard
aws-amplify
Custom scopes in access token programmatically
Describe the bug Impossible to get access tokens with custom scopes without using the hosted web ui. Authentication through the amplify drop-in UI for both Android and iOS -- used in the android-sdk-auth example -- or through cognito auth sdk always returns (the single scope) aws.cognito.signin.user.admin even if it is disabled on the app client settings.
To Reproduce Steps to reproduce the behavior: 1.Follow the android (or iOS)-sdk-auth example; 2. Create custom scope and enable on app client settings; 3. Sign-in in the app, grab the access token and check the scopes in jwt.io
Which AWS service(s) are affected? AWS Cognito (in all SDKs) and AWS API Gateway
Expected behavior Access token should return custom scope(s), regardless of using the web ui.
Screenshots
Environment(please complete the following information):
- Latest SDK versions (of both cognitoauth, mobileclient and auth-ui)
Device Information (please complete the following information):
- We tested on both iOS and Android default simulators, although we believe that this happens with any device.
- iOS 11.3 and Android API level 28.
Additional context Our use case: We have native apps (both Android and iOS) trying to authenticate end-users in a user pool. Our API Gateway resources are scoped (none including aws.cognito.signin.user.admin scope). We want to use implicit grant as we don't want to distribute the application with the client secret in its package as that would be stored in plain text. We'd rather not use the hosted web ui for improved user experience, specially since everything we have is native. We do understand the implications of not using the web ui, as well as not using the authorization code flow. Thus, the solution would be to use the cognito auth sdk, which we believe that it doesn't support implicit grant.
We might be approaching this the wrong way, any guidance would also be highly appreciated.
Unsolved related issues throughout the different SDKs:
[Amplify JS] - Access Token does not have required scopes (Http - 400)
[Amplify JS] - How do I use amazon-cognito-identity-js to get scopes in the access_token?
[Amplify iOS] - Feature Request: Cognito "InitiaateAuth" request allowed custom "scopes" in AccessToken
[Amplify Android] - Feature Request: Cognito "InitiateAuth" request allowed custom "scopes" in AccessToken
Hello @bluetrickpt
Currently, specifying custom scopes is only supported via the Oauth client (Cognito Auth SDK) as you have mentioned above. It is not possible to to request custom scopes using the API flow.
I will take this as a feature request to the service team.
Thanks, Rohan
Agree that this would be a really useful feature. My team has a use case that requires us to implement a custom auth flow and without being able to have scopes (both built in and custom) in the token we may have to look up the scopes on the app client's resource server at each authorization with a custom auth trigger to verify that the app client has access. Even with that implementation, we can't issues tokens that have are limited to a subset of the allowed scopes.
Hi all,
We don't have an update on this issue, but we are communicating your requests to the service team.
Hey, Amplify
We too have run into this issue. It's very useful to have custom scopes so that we can have fine-grained Cognito authorizers on our API Gateway resource. Any update would be great. :)
-Jay
Ditto. Any update will be greatly appreciated. Alternatively if we need to 'vote' for this feature please let us know so we can raise awareness through the product owner's radar.
For now I am adding aws.cognito.signin.user.admin to custom authorizer / oauth scopes. Not a great choice but has allowed me to move forward while still using access tokens...
Looking from someone in the Cognito team to provide an update. The request for custom scope has been pending for almost an year.
I am running into this issue as well. I thought pretoken lambda could customize this for me but it only effects the idToken https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html
Any help would be much appreciated. Thank you!
Related issue here: https://github.com/aws-amplify/amplify-js/issues/3732#issuecomment-603093351
Thanks for the update DavidWells - just so y'all know this is on our radar as a high priority issue to investigate and is next in queue to be picked up.
Heads up that I've begun investigating this and will keep you posted as I make progress amongst other work.
Quick update that this is temporarily on hold during a big release push internally but is still my top issue to return to once we get our launch done. In the meantime, if people could give specific examples of why they need the ability to customize the scope on this token, that would be very helpful.
@TrekSoft the reason would be because we want to use the oAuth benefits without having to use the Hosted UI. We want to be able to truly use the scopes so we can control access to our api's based on those scopes, otherwise we end up with our own implementation of oAuth and only use Cognito as a user data store.
@TrekSoft The hosted UI is limited and awkward to customize. I'd rather be able to do auth against the AWS Cognito API, but through my own UI. Want to be able to use the custom scopes defined in Cognito to control access to the remainder of an application.
I agree with @rupertlssmith & @cristian-stoichin
For my specific use case, we need to customize these scopes to allow access to specific endpoints in API gateway v1.
I'm unable to alter these scopes when users log in via my apps UI and API gateway v1 (REST) will not accept the id_token with custom scopes, only the access_token
For example, I can't do this with scope my-app/read because the access_token is stuck with aws.cognito.signin.user.admin
# serverless.yml
functions:
create:
handler: posts.create
events:
- http:
path: posts/create
method: post
authorizer:
arn: arn:aws:cognito-idp:us-east-1:xxx:userpool/us-east-1_ZZZ
scopes:
# unable to get this working b/c only "aws.cognito.signin.user.admin" set in the token
- my-app/read
This is described here as well
The only way to alter scopes in the access_token is to have the user login via the AWS hosted UI outside of the application flow. Using the hosted UI is not acceptable for the project.