I want to add to the token's payload a specific attribute. This attribute can be changed rarely (once per month), however I would like that the tokens would be updated immediately after this change.
WORKFLOW
In web/mobile app, user opens a profile view and changes attribute X. The current value of this attribute is also stored in ID token. So when user submit edits, the new value of X should be saved on the backend and should replace the old value in ID token. It is important, because attribute X determines whether user can or cannot do specific things in app.
What does Cognito do when payload's attribute change? It sends new version of JWT ID token in the next request?
Should I use refresh token? Or force to sign-out and sign-in user?
Initiate new refresh tokens (API)Pass REFRESH_TOKEN_AUTH for the AuthFlow parameter. The authorization parameter, AuthParameters , is a key-value map where the key is "REFRESH_TOKEN" and the value is the actual refresh token. Amazon Cognito returns new ID and access tokens after your API request passes all challenges.
Short description. You can't change standard user pool attributes after a user pool is created. Instead, create a new user pool with the attributes that you want to require for user registration. Then, migrate existing users to the new user pool by using an AWS Lambda function as a user migration trigger.
To update a cognito user's attributes use the admin-update-user-attributes command, specifying the user-pool-id , username and user-attributes parameters.
After a user logs in, an Amazon Cognito user pool returns a JWT. The JWT is a Base64-encoded JSON string that contains information about the user (called claims). Amazon Cognito returns three tokens: the ID token, the access token, and the refresh token.
The JWT signature is a hashed combination of the header and the payload. Amazon Cognito generates two pairs of RSA cryptographic keys for each user pool. One of the private keys is used to sign the token. Decode the ID token.
Amazon Cognito generates two pairs of RSA cryptographic keys for each user pool. One of the private keys is used to sign the token. Decode the ID token. You can use AWS Lambda to decode user pool JWTs. For more information see Decode and verify Amazon Cognito JWT tokens using Lambda .
You can use the tokens to grant your users access to your own server-side resources, or to the Amazon API Gateway. Or, you can exchange them for AWS credentials to access other AWS services. Amazon Cognito user pools implements ID, access, and refresh tokens as defined by the OpenID Connect (OIDC) open standard:
Amazon Cognito writes custom attribute values to the ID token as strings regardless of attribute type. User pool custom attributes are always prefixed with a custom: prefix. The signature of the ID token is calculated based on the header and payload of the JWT token.
Refresh token will be more appropriate in this usecase. Currently, refresh token flow is not exposed in the high level android SDK for user pools because it is done behind the scene by the SDK. For now, you might have to call the refresh token from low level SDK to get around this. (I am a developer from Amazon Cognito team, we will take this as a feature request to allow this from our high level SDKs.)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With