Hello, and thank you for Hasura!

Version: v1.0.0-alpha31

TL;DR: There is now a known issue with AWS Cognito that prevents configuring Hasura with JWTs and Cognito User Pools. Possible short term workaround on the Hasura side would involve allowing Hasura to be configured to use a flat JWT token (no nested namespace).

0. Context

I have been experimenting with running Hasura on AWS. I handle user management with Cognito User Pools. This process allows one to use a Lambda function to contribute JWT claims during the late stages of the login process. This JWT-claim-adding mechanism works fine in general, but it does not work when nested claims are involved. AWS support has just confirmed this finding. Details down below.

What follows below:

1. My support request to AWS
2. The AWS response.

Editorial notes: I have edited each of the messages to remove greetings and the name of the AWS support person. I have also bolded the key statement from AWS regarding the known problem with Cognito.

1. The AWS Support request:

I am working with Cognito User Pools and JWT. I have a simple Lambda to add claims (response.claimsOverrideDetails.claimsToAddOrOverride). The claims are generated fine by the Lambda.

It appears that Cognito will not accept nested JWT claims... that it requires all JWT claims to be strings, and not nested JSON objects. Is this a known limitation of the service?

For example, the handler below works (Cognito logins work). If I uncomment the nested claim, the Lambda runs OK, but Cognito cannot interpret the Lambda output.

exports.handler = (event, context, callback) => {
event.response = {
claimsOverrideDetails: {
claimsToAddOrOverride: {
testKey: "testValue",
// "https://hasura.io/jwt/claims": {
// "x-hasura-allowed-roles": ["editor","user", "mod"],
// "x-hasura-default-role": "admin",
// "x-hasura-user-id": "1234567890",
// "x-hasura-org-id": "123",
// "x-hasura-custom": "custom-value"
// }
}
// "claimsToSuppress": ["email"]
}

References:

Custom claims and scopes: https://auth0.com/docs/api-auth/tutorials/adoption/scope-custom-claims

OIDC spec: https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

2. The AWS Support response:

I understand that you are using Pre Token Generation Lambda Trigger[1] in Amazon Cognito to add new claims in the Identity token. I also understand that when the claims are added as a normal key:value pair with the value set as a string in the Lambda function, Cognito recognizes the token and allows the user to be signed in successfully. But when nested claims are added(i.e. the value in key:value pair is a JSON object), the Lambda function does execute successfully and it adds the claims in the token. However, Cognito does not recognize the token and authentication fails with "HTTP ERROR 405”.

I have replicated the setup in our labs and was able to reproduce the issue at my end. When the claims are added as the nested JSON Object, Cognito Authentication fails with an HTTP error “405”. It seems that currently, it is not possible to add the nested JSON Object in the identity token. However, for further clarification and confirmation about this behaviour, I have reached out to the Amazon Cognito Engineering Team. Please be assured that I will inform you as soon as I get any further updates around this from our team. Your patience is kindly anticipated.

References:

[1]. Pre Token Generation Lambda Trigger: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.html