Add Allowed scope for generating AccessToken from initiate-auth action

[ingluife]

Is your feature request related to a problem? Please describe.
it would be great to be able to generate an access token with some allowed scope according to what we defined in the Corresponding AppClient

Describe the solution you'd like
Add a parameter called [--scopes <value>] type string which will represent the allowed scope to generate the Token. The scopes can be multiple and comma-separated.

Additional context
E.g:

aws cognito-idp initiate-auth --region us-east-1 --scopes "openid,api-gtw/proxy" --cli-input-json file://auth_data.json

Current behavior:

Currently, when I get a Token with the above command I get a token with the default scope aws.cognito.signin.user.admin. I'm using an ApiGateway with some custom scopes defined in my AppClient and I'm not able to connect with a token got by awscli because that token doesn't have the corresponding custom scope.

Thanks so much in advance

[tim-finnigan]

Hi @ingluife, thanks for the feature request. I'd like to get more context on your use case. Have you tried following the steps here for authorizing access to API Gateway APIs using custom scopes? https://aws.amazon.com/premiumsupport/knowledge-center/cognito-custom-scopes-api-gateway/

[github-actions]

Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

[ingluife]

Hi @tim-finnigan thanks for answering.

Actually that Article you sent me, explain how to get a Cognito token by login page, and that's not what I was requiring.

Let me try to explain it better.

I know how to get a Cognito token by the awscli using this command:

aws cognito-idp initiate-auth --region us-east-1 --cli-input-json file://auth_data.json

At this point everything is fine.

My problem is when I try to get a token with the same command using an AppClient which I defined previously with some Allowed Custom Scope.

Why? Basically because all of the time, the Bearer token I get by awscli has the scope aws.cognito.signin.user.admin and I would like to be able to choose which allowed scope use instead.

[tim-finnigan]

Thanks @ingluife for clarifying. It sounds like your request is essentially what was asked for here: aws-amplify/aws-sdk-android#684. That issue is in an Amplify repository but also mentions the InitiateAuth API.

I’m going to reach out to the Cognito-IDP team to get their thoughts and will update this issue when I here back. I’m also transferring this to our shared aws-sdk repository since this request involves a service team API that is used by other SDKs.

[tim-finnigan]

P58931756

[tonyxyz]

Has any clarity been reached on this? I have spent several days trying to solve exactly the same issue as @ingluife - I have tried using user pool lifecycle trigger lambdas and resource servers to add custom scopes. Whatever path I go down I just come back to the same place: initiate_auth() only returns one scope in the access token: aws.cognito.signin.user.admin - but if I use the hosted ui I get all the applicable scopes including any custom ones created in a resource server.

The effect of this is that I have to use the hosted ui to generate an access token which will let users call a secure API Gateway.

Now I guess it might possible to reverse engineer the steps inside minified javascript on the hosted ui form but it seems crazy that there isn't a straightforward way to do it through a published API.

[tonyxyz]

BTW as well as this thread there are a number of unresolved questions on stack overflow trying to figure out this exact same issue.

[tim-finnigan]

Hi @tonyxyz I just reached out to the Cognito team for an update on this and will let you know when I hear back.

[tonyxyz]

Just a footnote: it did occur to me that maybe using boto3 or one of the other language libraries was causing my IAM access tokens to be smuggled in to the request and that was why the scope always comes back as 'aws.cognito.signin.user.admin'.

So I changed my test code to use the vanilla HTTP API ... same result.