AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-05-10 · Documentation low

File: cognito/latest/developerguide/user-pool-lambda-pre-token-generation.md

Summary

Added documentation for passing client metadata in M2M client credentials flow via URL-encoded parameter

Security assessment

The change documents feature functionality rather than addressing security vulnerabilities. While client metadata handling is security-adjacent, there's no evidence this change fixes an existing vulnerability or introduces new security controls. It primarily expands documentation of existing capabilities.

Diff

diff --git a/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.md b/cognito/latest/developerguide/user-pool-lambda-pre-token-generation.md
index 56b43af5e..6339fe78e 100644
--- a//cognito/latest/developerguide/user-pool-lambda-pre-token-generation.md
+++ b//cognito/latest/developerguide/user-pool-lambda-pre-token-generation.md
@@ -166,0 +167,7 @@ Include the following content in the `LambdaVersion` parameter of your request.
+###### Client metadata for machine-to-machine (M2M) client credentials
+
+You can pass [client metadata](./cognito-user-pools-working-with-lambda-triggers.html#working-with-lambda-trigger-client-metadata) in M2M requests. Client metadata is additional information from a user or application environment that can contribute to the outcomes of a [Pre token generation Lambda trigger](./user-pool-lambda-pre-token-generation.html). In authentication operations with a user principal, you can pass client metadata to the pre token generation trigger in the body of [AdminRespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminRespondToAuthChallenge.html) and [RespondToAuthChallenge](https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html) API requests. Because applications conduct the flow for generation of access tokens for M2M with direct requests to the [Token endpoint](./token-endpoint.html), they have a different model. In the POST body of token requests for client credentials, pass an `aws_client_metadata` parameter with the client metadata object URL-encoded (`x-www-form-urlencoded`) to string. For an example request, see [Client credentials with basic authorization](./token-endpoint.html#exchanging-client-credentials-for-an-access-token-in-request-body). The following is an example parameter that passes the key-value pairs `{"environment": "dev", "language": "en-US"}`.
+    
+    
+    aws_client_metadata=%7B%22environment%22%3A%20%22dev%22,%20%22language%22%3A%20%22en-US%22%7D
+