How do I get IdP-issued OIDC or social identity tokens for Amazon Cognito user pools?

Short description

The OpenID Connect (OIDC) IdP authentication flow doesn't allow the user or application to see the IdP-side tokens. For authorization or troubleshooting purposes, some use cases require the actual IdP-issued tokens within the application.

Important: The following resolution assumes that you integrated OIDC IdP or social IdP with Amazon Cognito user pools. If you didn't integrate an IdP with your user pool, then add a user pool sign-in through a third party.

Resolution

Create a custom attribute in a user pool

To create a custom attribute in your user pool, complete the following steps:

1. Open the new Amazon Cognito console, and then choose the Sign-up Experience tab in your user pool.
2. Under the Custom Attributes section, choose Add custom attributes.
3. To create a custom attribute for an access token, enter the following values:
   Name: access_token
   Type: String
   Max: 2,048
   Mutable: Select this check box
4. Choose Save.
5. To create a custom attribute for an ID token, enter the following values:
   Name: id_token
   Type: String
   Max: 2,048
   Mutable: Select this check box
6. Choose Save.

Configure attribute mapping between Amazon Cognito and your IdP

To configure attribute mapping to IdP attributes, complete the following steps:

1. Open the new Amazon Cognito console, and then choose the Sign-in Experience tab in your user pool.
2. Under the Federated Identity Provider sign-in section, select your IdP from the list.
3. In the Identity provider information section, choose Edit. Make sure that the following scopes are in the Authorized scopes section:
   Facebook: public_profile, email
   Google: profile email openid
   Login with Amazon: profile postal_code
   Sign in with Apple: email name
   All other OIDC providers: profile email openid
4. On the Identity provider page, choose Edit in the Attribute mapping section.
5. From the User pool attribute column, select your custom attribute.
6. From the OpenID Connect attribute column, select access_token or id_token.
7. Choose Save.

The following are the results of attribute mapping configuration:

• User pool attribute: custom:id_token
• OpenID Connect attribute: id_token
• User pool attribute: custom:access_token
• OpenID Connect attribute: access_token

Turn on attribute read and write permissions in your Amazon Cognito app client

When a user signs in to the application, Amazon Cognito updates the mapped attributes. For Amazon Cognito to update the mapped user pool attributes, the mapped attributes must be writable in your application's app client settings. For Amazon Cognito to update the user's ID token, the attributes must be readable in your application's app client settings.

To turn on read and write permissions, complete the following steps:

1. Open the new Amazon Cognito console, and then choose the App integration tab in your user pool.
2. Select your app client.
3. In the Attribute read and write permissions section, choose Edit.
4. On the Edit attribute read and write permissions page, select the read and write check boxes for your custom attributes.
5. Choose Save.

Repeat these steps for each app client that uses the custom attribute.

For more information, see Attribute permissions and scopes.

Use the third-party OIDC provider or social IdP to sign in

When you perform a new IdP authentication through the Amazon Cognito Hosted UI, you can see the IdP tokens in the custom attributes. Choose an end user to see the IdP tokens in their attributes. When you decode the ID token, you also see the custom attributes that contain IdP tokens.

Example payload section of the ID token that's issued to the end user:

{
   "custom:access_token": "ya29.a0AeTM1ic9iv_FqpDQeIN......w1OPKdFEbR_Tea",
   "iss": "https://cognito-idp.example_region.amazonaws.com/example_user_pool_id",
   "custom:id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjhjMjdkYjRkMTN............saDMuZ29vZ2xldXNlcmNv"
}

Important:

• The maximum length for any custom attribute is 2,048 characters. When an IdP token exceeds 2,048 characters, you receive the following error: "String attributes cannot have a length of more than 2048".
• You can't remove or modify a custom attribute after you create it.
• If the custom attribute isn't updated in subsequent sign ins, then check the mutability of the custom attribute. This issue is expected after you clear the Mutable check box when you create the attribute. To learn more, see Custom attributes.

Note: If you still can't get an IdP token, then contact your IdP. Check whether the IdP supports the passage of tokens that have attributes to Amazon Cognito. Then, contact AWS Support for additional troubleshooting.

Related information

How do I set up Auth0 as an OIDC provider in an Amazon Cognito user pool?

How do I set up LinkedIn as a social identity provider in an Amazon Cognito user pool?

How do I set up Okta as an OpenID Connect identity provider in an Amazon Cognito user pool?

How do I set up Google as a federated identity provider in an Amazon Cognito user pool?

How to view a SAML response in your browser for troubleshooting