Set custom Role(Scope) in AWSCognitoIdentityProvider

[kuchhadiyaa]

State your question
We are using AWSCognitoIdentityProvider to provide login and signup in our app. We would like to change the spope from "scope": "aws.cognito.signin.user.admin", to "scope": "openid profile"

Currently, there seems no way or changing scopes after or before login.

Which AWS Services are you utilizing?
We are using AWSCognitoIdentityProvider

Provide code snippets (if applicable)
We have tried to update scope after user log in using the following method on AWSCognitoIdentityProvider but it returns an error. though we want to get required scope when a user logs in not after it.

<p>Updates the name and scopes of resource server. All other fields are read-only.</p>
 
 @param request A container for the necessary parameters to execute the UpdateResourceServer service method.
 @param completionHandler The completion handler to call when the load request is complete.
                          `response` - A response object, or `nil` if the request failed.
                          `error` - An error object that indicates why the request failed, or `nil` if the request was successful. On failed execution, `error` may contain an `NSError` with `AWSCognitoIdentityProviderErrorDomain` domain and the following error code: `AWSCognitoIdentityProviderErrorInvalidParameter`, `AWSCognitoIdentityProviderErrorResourceNotFound`, `AWSCognitoIdentityProviderErrorNotAuthorized`, `AWSCognitoIdentityProviderErrorTooManyRequests`, `AWSCognitoIdentityProviderErrorInternalError`.
 
 @see AWSCognitoIdentityProviderUpdateResourceServerRequest
 @see AWSCognitoIdentityProviderUpdateResourceServerResponse
 */
- (void)updateResourceServer:(AWSCognitoIdentityProviderUpdateResourceServerRequest *)request completionHandler:(void (^ _Nullable)(AWSCognitoIdentityProviderUpdateResourceServerResponse * _Nullable response, NSError * _Nullable error))completionHandler;

Environment(please complete the following information):

• SDK Version: Latest
• Dependency Manager: Cocoapods
• Swift Version : 4.1

Device Information (please complete the following information):

• Device: All
• iOS Version: All
• Specific to simulators: No

If you need help with understanding how to implement something in particular then we suggest that you first look into our developer guide. You can also simplify your process of creating an application, as well as the associated backend setup by using the Amplify CLI.

[minbi]

Hi @kuchhadiyaa ,

In your case you may want to check App client settings in the Amazon Cognito console for your User Pool. There are checkbox options in the Allowed OAuth Scopes that allow you to add/change the scopes during sign-in.

What is the method call you are using to sign-in users?

[kuchhadiyaa]

Hi @minbi ,

Yes, We already have enabled those settings when we created the pool.

We are using the following method to sign in

userIdentityPool.getUser().getDetails().continueWith(executor: AWSExecutor.mainThread()) {
//Code executed after login
}

and save a closure from the following method to call it when a user does sign in. (AWSCognitoIdentityPasswordAuthentication)

	func getDetails(_ authenticationInput: AWSCognitoIdentityPasswordAuthenticationInput, passwordAuthenticationCompletionSource: AWSTaskCompletionSource<AWSCognitoIdentityPasswordAuthenticationDetails>) {

When a user does sign in we set the result to closure

		let authDetails = AWSCognitoIdentityPasswordAuthenticationDetails(username: self.userName, password: password)
		guard passwordAuthenticationCompletionSource?.trySet(result: authDetails) ?? false else {
			//Unable to set details
			completionSource(false, "Unable to authenticate. Please try again.")
			return
}

[minbi]

We will followup with the service team to see which method calls are appropriate.

[kuchhadiyaa]

@muellerfr any updates on this?

[kuchhadiyaa]

@muellerfr any updates on this?

[minbi]

Hi @kuchhadiyaa ,

Currently, specifying custom scopes is only supported via the Oauth client (Cognito Auth SDK) as you have mentioned above. It is not possible to to request custom scopes using the API flow.

I will take this as a feature request to the service team.

[kuchhadiyaa]

@minbi @nikhil-dabhade Any plan in near future to complete this?

Or do you have any workaround to do this?

Any suggestions are welcome.

[kuchhadiyaa]

@minbi @nikhil-dabhade Any plan in near future to complete this?

Or do you have any workaround to do this?

[adamdabbracci]

@minbi @nikhil-dabhade Our API is trying to do just-in-time provisioning through Cognito. Our mobile app logs into Cognito, then sends the access token with each API request. When a user hits our API for the first time, it creates a new user in the database if they haven't already been created. This bug is preventing us from using the access_token from the client to call the userinfo endpoint (which is the OIDC standard way of JIT provisioning), so we have no way of populating the user's information. Additionally, the ID token only contains email and phone and this bug is preventing us from requesting additional info like first and last name, so we can't use that method either.

What is the AWS-recommended way of doing JIT user provisioning into our app when using Cognito as our IDP?

[adamdabbracci]

@minbi @nikhil-dabhade Is there any plan to update the client to meet OIDC standards? At this point, the access_token generated from this client does not work against the userinfo endpoint, as we cannot use all of the standard OIDC scopes.

[atierian]

Thanks for opening this feature request. We recommend using Amplify Auth for this -- for more information, please visit https://docs.amplify.aws/swift/build-a-backend/auth/