AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-05-10 · Documentation medium

File: cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md

Summary

Updated documentation for client metadata handling in M2M authentication flows with explicit parameter example

Security assessment

Added detailed instructions for secure client metadata handling in machine-to-machine authentication flows. While security-related, there's no evidence this addresses a specific vulnerability - rather enhances documentation of existing security controls.

Diff

diff --git a/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md b/cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md
index 8f79d99d0..6ee486fdf 100644
--- a//cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md
+++ b//cognito/latest/developerguide/cognito-user-pools-define-resource-servers.md
@@ -64,2 +63,0 @@ The access token from a client credentials grant is a verifiable statement of th
-You can pass [client metadata](./cognito-user-pools-working-with-lambda-triggers.html#working-with-lambda-trigger-client-metadata) in M2M requests. Client metadata is additional information from a user or application environment that can contribute to the outcomes of a [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html). Instead of in the body of an API request like with other Lambda triggers, you pass client metadata in `x-www-form-urlencoded` in the POST body of a request to the [Token endpoint](./token-endpoint.html). For an example request, see [Client credentials with basic authorization](./token-endpoint.html#exchanging-client-credentials-for-an-access-token-in-request-body).
-
@@ -69,0 +68,7 @@ For information about optimizing Amazon Cognito operations that add costs to you
+###### Client metadata for machine-to-machine (M2M) client credentials
+
+You can pass [client metadata](./cognito-user-pools-working-with-lambda-triggers.html#working-with-lambda-trigger-client-metadata) in M2M requests. Client metadata is additional information from a user or application environment that can contribute to the outcomes of a [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html). In authentication operations with a user principal, you can pass client metadata to the pre token generation trigger in the body of [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html) and [RespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html) API requests. Because applications conduct the flow for generation of access tokens for M2M with direct requests to the [Token endpoint](./token-endpoint.html), they have a different model. In the POST body of token requests for client credentials, pass an `aws_client_metadata` parameter with the client metadata object URL-encoded (`x-www-form-urlencoded`) to string. For an example request, see [Client credentials with basic authorization](./token-endpoint.html#exchanging-client-credentials-for-an-access-token-in-request-body). The following is an example parameter that passes the key-value pairs `{"environment": "dev", "language": "en-US"}`.
+    
+    
+    aws_client_metadata=%7B%22environment%22%3A%20%22dev%22,%20%22language%22%3A%20%22en-US%22%7D
+