Skip to content

Bug: Unable to add custom claims to authentication token with Powertools v3.9.0 and later #7651

New issue
New issue
Open
#7653
Open
Bug: Unable to add custom claims to authentication token with Powertools v3.9.0 and later#7651
#7653
Labels
bugSomething isn't workingevent_sourcesEvent Source Data Class utility
@ogis-takeuchi

Description

@ogis-takeuchi
ogis-takeuchi
opened on Nov 10, 2025

The following process worked correctly with Powertools for AWS Lambda (Python) v3.8.0 and earlier, but since v3.9.0, the response in the returned raw_event no longer contains the custom claims.

I would like to avoid directly editing the raw_event dictionary. Is there any recommended way to add custom claims to the authentication token in v3.9.0 or later?

Here is a simplified version of my handler:

    pre_token_generation.response.claims_scope_override_details.access_token_generation = {
        'claimsToAddOrOverride': {
            'custom_user_id': pre_token_generation.request.user_attributes['preferred_username'],
        }
    }
    # Return the raw event
    return pre_token_generation.raw_event

Expected Behaviour

■v3.8.0 raw_event example:

{
  'version': '2',
  'region': 'example-region-1',
  ...,
  'response': {
    'claimsAndScopeOverrideDetails': {
      'idTokenGeneration': {
        'claimsToAddOrOverride': {
          'custom_user_id': 'user123'
        }
      },
      'accessTokenGeneration': {
        'claimsToAddOrOverride': {
          'custom_user_id': 'user123'
        },
        'scopesToAdd': ['access:example_scope']
      }
    }
  }
}

Current Behaviour

In this case, response is empty.
■v3.9.0 raw_event example:

{
  'version': '2',
  'region': 'example-region-1',
  ...,
  'response': {}
}

Code snippet

    pre_token_generation.response.claims_scope_override_details.access_token_generation = {
        'claimsToAddOrOverride': {
            'custom_user_id': pre_token_generation.request.user_attributes['preferred_username'],
        }
    }
    # Return the raw event
    return pre_token_generation.raw_event

Possible Solution

No response

Steps to Reproduce

We send the following request to this function.

{
    "version": "2",
    "region": "region",
    "userPoolId": "example",
    "userName": "example",
    "triggerSource": "TokenGeneration_HostedAuth",
    "request": {
        "userAttributes": {
            "sub": "example",
            "email": "example@example.com",
            "preferred_username": "example",
            "family_name": "example",
            "given_name": "example",
            "phone_number": "example",
            "custom:family_name_kana": "example",
            "custom:given_name_kana": "example",
            "custom:company_name": "example",
            "custom:created_by": "test",
            "custom:updated_by": "test"
        }
    },
    "response": {}
}

Powertools for AWS Lambda (Python) version

latest

AWS Lambda function runtime

3.13

Packaging format used

PyPi

Debugging logs

Metadata
Metadata
Assignees
No one assigned
    Labels
    bugSomething isn't workingevent_sourcesEvent Source Data Class utility
    Type
    No type
    Projects
    Powertools for AWS Lambda (Python)
    Status
    Backlog
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions