AWS cognito documentation change
Summary
Added detailed documentation about access token scopes and their impact on userInfo endpoint responses
Security assessment
Explains security-relevant scope configurations controlling data exposure but doesn't address a specific vulnerability
Diff
diff --git a/cognito/latest/developerguide/userinfo-endpoint.md b/cognito/latest/developerguide/userinfo-endpoint.md index c57fee98b..cbdc33d97 100644 --- a/cognito/latest/developerguide/userinfo-endpoint.md +++ b/cognito/latest/developerguide/userinfo-endpoint.md @@ -16,0 +17,24 @@ Your OAuth 2.0 third-party identity provider (IdP) also hosts a userInfo endpoin +The scopes in a user's access token are determined by the `scopes` request parameter in authentication requests, or the scopes that the [pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html) adds. You can decode access tokens and examine `scope` claims to see the access-control scopes that they contain. The following are some scope combinations that influence the data returned from the `userInfo` endpoint. The reserved Amazon Cognito scope `aws.cognito.signin.user.admin` has no effect on the data returned from this endpoint. + +###### Example scopes in access token and their effect on the `userInfo` response + +**`openid`** + + +Returns a response with all user attributes that the app client can read. + +**`openid profile`** + + +Returns the user attributes `name`, `family_name`, `given_name`, `middle_name`, `nickname`, `preferred_username`, `profile`, `picture`, `website`, `gender`, `birthdate`, `zoneinfo`, `locale`, and `updated_at`. Also returns [custom attributes](./user-pool-settings-attributes.html#user-pool-settings-custom-attributes). In app clients that don't have read access to each attribute, the response to this scope is all of the attributes within the specification that your app client does have read access to. + +**`openid email`** + + +Returns basic profile information and the `email` and `email_verified` attributes. + +**`openid phone`** + + +Returns basic profile information and the `phone_number` and `phone_number_verified` attributes. + @@ -19 +43 @@ Your OAuth 2.0 third-party identity provider (IdP) also hosts a userInfo endpoin -Your app makes requests to this endpoint directly and not through a browser. +Your application generates requests to this endpoint directly, not through a browser.