Amplify-js: How do I use amazon-cognito-identity-js to get scopes in the access_token?

@andrej-vasilj can you try accessToken.decodePayload() to see if the payload contains any info about scopes?

I've been using https://jwt.io/ for quick debugging since it has a nice visual interface to decode tokens. The 'scope' section of the access token is always set to 'aws.cognito.signin.user.admin'. Today I was also trying to use boto3 for Python instead of javascript and I'm running into the same situation. It doesn't even matter if I deselect the 'aws.cognito.signin.user.admin' scope directly in the Cognito web admin console, it still gets listed in the access token. I'm really stuck and I don't know what to try...

@andrej-vasilj I think the scope setting in the Cognito web admin console is only effective for OAuth(Cognito Hosted UI). @yuntuowang what do you think?

I'm having a similar issue, I moved from Cognito hosted to the Amplify libraries, and looking at the jwt token, I don't see the scopes in it (other then aws.cognito.signin.user.admin). Maybe I have something setup wrong...

@ErikCH as I know for now the scope would only be aws.cognito.signin.user.admin, there is no other scopes in the access token given from Cognito.

Closing the issue due to no further response. Feel free to reopen if you still have this issue.

Is there any improvements on this?
Maybe I am looking at this the wrong way, but how would I access an API Gateway resource that accepts specific scopes without having the scopes in the token? 🤔

Also, what are the implications of having "aws.cognito.signin.user.admin" in it? I do not want my end users to end up with access to cognito APIs. Is this the case?

I am bit frustrated about this documentation mess that Amplify brought. Old documentation no longer applies, new documentation does not cover edge cases. New sdks do not support most of the features.

Any help would be much appreciated. 🙂

Since we cannot have scopes associated with access tokens given in non-OAuth 2.0 ways, I wonder if there is any alternative, maybe less delicate way, as a compromise, to do _'scope'_ management with it?

Any update on this? A roadmap or anything giving information on getting custom scopes from the access_token?

@jonvanputten since this is an issue/request about the Cognito service, we can't give any roadmap or statement here. It would be more efficient if you can go to the AWS forum and submit this issue to the service team directly. Thanks for your understanding!

I do not think this is a Cognito issue, since I was able to get the scopes with token endpoint with Postman, just Amplify is not returning the necessary scopes. Please refer to #3732.

Yet the .Net Cognito API was having the same problem as well and it also use SPR to sign in.

Was anyone able to solve this?

Is the answer to use https://github.com/aws-amplify/amplify-js/tree/master/packages/amazon-cognito-identity-js & re-implement Auth.login from amplify with the base library?

IMO - this is an issue because you must have a cognito pool app client with a client secret in order to use scopes. And unfortunately, the amplify javascript sdk doesn't support client secrets (because that would leak the secret out).