Username instead of email in Cognito JWT access token claims

[mglowinski93]

Hi, I would like to ask about email being present in Cognito JWT access token claims. According to congito documentation it should include username and not email.

I don't see any option to change that behaviour based on create_jwt method:

    def create_access_token(self, client_id, username):
        extra_data = {}
        user = self._get_user(username)
        if len(user.groups) > 0:
            extra_data["cognito:groups"] = [group.group_name for group in user.groups]

        access_token, expires_in = self.create_jwt(
            client_id, username, "access", extra_data=extra_data
        )
        self.access_tokens[access_token] = (client_id, username)
        return access_token, expires_in

    def create_jwt(
        self, client_id, username, token_use, expires_in=60 * 60, extra_data=None
    ):
        now = int(time.time())
        payload = {
            "iss": "https://cognito-idp.{}.amazonaws.com/{}".format(
                self.region, self.id
            ),
            "sub": self._get_user(username).id,
            "aud": client_id,
            "token_use": token_use,
            "auth_time": now,
            "exp": now + expires_in,
            "email": flatten_attrs(self._get_user(username).attributes).get("email"),
        }
        payload.update(extra_data or {})
        headers = {"kid": "dummy"}  # KID as present in jwks-public.json

        return (
            jws.sign(payload, self.json_web_key, headers, algorithm="RS256"),
            expires_in,
        )

Do you consider that as a bug or kind of deprecation?

[bblommers]

Hi @mglowinski93, are you also seeing the username in an actual boto3-call?

The documentation can be useful as a guide, but it's not always up-to-date or correct. If you have a reproducible test case that shows that the token should contain username, that would be very helpful.

[mglowinski93]

Yes, i do. Here is token which i got:

eyJraWQiOiJrSG5ITDQrYk5IWEFWWldMMTcwajV0bHl0VnBJUVZaek1ubndKK0h6S2xFPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI5MmIwOTQ3NS00OTlkLTQ3ODEtOTBiOS04MzZlZGUyNWEzZmEiLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtd2VzdC0xLmFtYXpvbmF3cy5jb21cL3VzLXdlc3QtMV80dWpqTXdzZksiLCJjbGllbnRfaWQiOiI0cG9uOGdpOXQ2ZjZkbGxrYTVhcDJpaGNhdiIsIm9yaWdpbl9qdGkiOiI1MjFjYmM5My1lN2YwLTRiMDEtOGVkZS05MThmZWQ3Y2QxNmYiLCJldmVudF9pZCI6ImFhMzQ3ZWMyLTU2MTctNDQzYy1hZTQ0LWRkM2FiMTNhODA2NyIsInRva2VuX3VzZSI6ImFjY2VzcyIsInNjb3BlIjoiYXdzLmNvZ25pdG8uc2lnbmluLnVzZXIuYWRtaW4iLCJhdXRoX3RpbWUiOjE2NTY1ODA5OTYsImV4cCI6MTY1NjU4NDU5NSwiaWF0IjoxNjU2NTgwOTk2LCJqdGkiOiJlNjA4MWRhZi00NDBkLTQ4NWItOGFlYy0xM2IyZmU0YTY2NzUiLCJ1c2VybmFtZSI6InF3ZXF3ZSJ9.KQ1edGIVd_phi_EcHA-Cwdr1TVPeaBVsA189KlQs7afFi-pGqpFkSX3y3ZWxhD2gOorSh_J0Pdi_NTxvBEdw74qKxo2hG8GOedEPPqZyCtz85bd1tKHjgiWBrarKFTpTOi__IurKEz5BvhYSi5Wmtpr6kvLKkVfDDvR_nIXs6pfSFJ0tIOMzKsUfUyai4rd1ClQupJnvt5IMKU8iAiBzjyFl4tQQYoqXJsuRNGbLmFxdSV8ouBmBJz_2WG7C4Oz62D7VA7iP-gdlGYXoygBbYtC938H0OcFEaYKPBctp5pvYk-gYU7Tyj0oYfHsoDGkJ2I7nkTXHDMRvb1Ujg4APTQ

from function

    def get_access_token(self, username: str, password: str) -> str:
        return self.cognito_client.admin_initiate_auth(
            UserPoolId=self.user_pool["Id"],
            ClientId=self.app_client["UserPoolClient"]["ClientId"],
            AuthFlow="ADMIN_NO_SRP_AUTH",
            AuthParameters={"USERNAME": username, "PASSWORD": password},
        )["AuthenticationResult"]["AccessToken"]

I can also generate similar token claims with aws-cli like below:

aws cognito-idp admin-initiate-auth --cli-input-json file://cognito_auth.json

[bblommers]

Thanks @mglowinski93 - marking it as a bug then.

[mglowinski93]

Sorry for pushy question, but when can we get the fix for that issue?

[bblommers]

Whenever somebody feels like tackling this, @mglowinski93 - there are no timelines here.

Everything is open-source, so if you want to have a look, PR's are always welcome! http://docs.getmoto.org/en/latest/docs/contributing/index.html