AWS Cognito Post Authentication Lambda Trigger - groupConfiguration

1
votes

Is it possible, via a post-authentication lambda to alter the list of groups exposed by the AWS Cognito Identity token?

The documentation for the post-authenticaion Lambda states the following:

".... groupConfiguration structure – contains group-related information that can override group-related claims in the identity token."

Full docs: http://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-identity-pools-working-with-aws-lambda-triggers.html#cognito-user-pools-lambda-trigger-syntax-post-auth

The AWS Cognito Identity token exposes the current payload:

{
  sub: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  cognito:groups: [
    "group1",
    "group2"
  ],
  iss: "https://cognito-idp.*****/**-****-1_********",
  cognito:username: "Google_*****************",
  .....
}

What I would like to to, via a post-authentication lambda is to alter the list of cognito-groups. Any suggestions on how to do this?

1
amazon-web-servicesaws-lambdaamazon-cognito

1 Answers

1
votes

There is a mixup in the documentation. This is not currently supported. We are actively working to fix it.