api-gateway: access custom cognito claim in parameterMapping of HttpAlbIntegration

[rmpt]

Describe the bug

When declaring a HttpAlbIntegration with parameterMapping for a regular cognito claim, say email or sub, everything works fine. But when defining a parameterMapping for a custom attribute, where the sintaxt implies using the prefix custom:, it complains about being an invalid expression.

I've tried according the RestApi documentation (https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html) but no luck:
"$context.authorizer.claims['custom:my_attr']"

Expected Behavior

The custom attribute should be accessible like any other.

Current Behavior

cdk returns a BadRequest:

Invalid mapping expression specified: Validation Result: warnings : [], errors : 
[Invalid mapping expression specified: $context.authorizer.claims.custom:my_attr] 
(Service: AmazonApiGatewayV2; Status Code: 400; Error Code: BadRequestException; Request ID: d9f58770-dc40-4268-9515-ef4cc354e4d3; Proxy: null)

Reproduction Steps

Create a HttpAlbIntegration for the api gateway:

const integration = new HttpAlbIntegration('http-alb-integration', albListener, {
  method: HttpMethod.ANY,
  vpcLink: vpcLinkStack.vpcLink,
  parameterMapping: new ParameterMapping()
     .appendHeader('x-my-attr', MappingValue.contextVariable('authorizer.claims.custom:my_attr'))
});

cdk will complain about the authorizer.claims.custom:my_attr because of the :.

Possible Solution

Some alternative sintax for these cases, for instance: authorizer.claims.[custom:my_attr]
so custom:my_attr would be treated as a block.

Additional Information/Context

No response

CDK CLI Version

2.41.0 (build 6ad48a3)

Framework Version

No response

Node.js Version

v16.14.2

OS

macOS Monterey 12.5.1

Language

Typescript

Language Version

3.9.7

Other information

No response

[masonchenkb]

Any updates on this one? I have the same issue when adding custom cognito attributes in parameter mapping for API GW integration via UI portal

[yonihod]

Also have this problem with both the UI portal and openapi integration

[piotrekwitkowski]

For visibility, the same error in the AWS Console. My full error message is:

Invalid mapping expression specified: Validation Result: warnings : [], errors : [Invalid mapping expression specified: $context.authorizer.jwt.claims.cognito:username]

[petr-pokorny-1]

For ID token, I was able to solve this issue with the help of pre-token-generation lambda trigger where I added additional claim without that stupid custom: prefix.

export const handler: PreTokenGenerationTriggerHandler = async (event) => {
    const tenantId = event.request.userAttributes['custom:tenantid'];
    event.response = {
        claimsOverrideDetails: {
            claimsToAddOrOverride: {
                tenantid: tenantId
            }
        },
    };
    return event;
};

and then

const parameterMapping = new ParameterMapping();
parameterMapping.appendHeader('tenantid', MappingValue.contextVariable("authorizer.claims.tenantid"));

[piotrekwitkowski]

Thanks for the workaround. It seems like for now, only two special characters are supported: . (dot) and _ (underscore). Hopefully the service team implements support for : (colons) soon.

[BwL1289]

also interested