AWS cognito documentation change
Summary
Added documentation for client metadata handling in M2M authentication flows with parameter example
Security assessment
Expanded guidance on passing client metadata securely in token generation flows. Enhances security documentation but doesn't indicate a specific vulnerability being addressed.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md b/cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md index f0ddbf572..8ecd3bcbd 100644 --- a//cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md +++ b//cognito/latest/developerguide/cognito-user-pools-working-with-lambda-triggers.md @@ -332,0 +333,7 @@ The request results in the following request body to your pre sign-up function. +###### Client metadata for machine-to-machine (M2M) client credentials + +You can pass client metadata in M2M requests. Client metadata is additional information from a user or application environment that can contribute to the outcomes of a [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html). In authentication operations with a user principal, you can pass client metadata to the pre token generation trigger in the body of [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html) and [RespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html) API requests. Because applications conduct the flow for generation of access tokens for M2M with direct requests to the [Token endpoint](./token-endpoint.html), they have a different model. In the POST body of token requests for client credentials, pass an `aws_client_metadata` parameter with the client metadata object URL-encoded (`x-www-form-urlencoded`) to string. For an example request, see [Client credentials with basic authorization](./token-endpoint.html#exchanging-client-credentials-for-an-access-token-in-request-body). The following is an example parameter that passes the key-value pairs `{"environment": "dev", "language": "en-US"}`. + + + aws_client_metadata=%7B%22environment%22%3A%20%22dev%22,%20%22language%22%3A%20%22en-US%22%7D +