Usage of the ID Token in the app

[boenhoff]

I'm a little bit confused right now after reading this blog post: https://auth0.com/blog/id-token-access-token-what-is-the-difference/

Here, the whole app is using the id_token as token to authenticate against the API. I assume this is made because you only now from the id_token to which tenant a user/token belongs.

Where there considerations made other than the tenantId and userRole which you get from the id_token and can use in the backend service?

What are other alternatives for using the whole application with the access_token, like how it is planned to do so?

[ujwalbukka]

@boenhoff - Currently, Cognito IDP does not provide a way to add custom attributes to access tokens. Maybe you can use auth0, I believe it allows to add custom attributes to access token.

[anubhavynr]

@boenhoff: you can also use the GetUser API to get attributes based on access token.
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html

As of you know Cognito doesn't support custom attributes inside access token. It only returns it as part of id token, hence the choice. While this may not be true to the specification, but it is also not a security concern (I am sure you didn't mean it that way anyway).