How to use identityClaim auth field with profile or custom:x other than user sub

[halilduygulu]

Note: If your question is regarding the AWS Amplify Console service, please log it in the
AWS Amplify Console repository

Which Category is your question related to?
I am using graphql api via amplify schema generated appsync. I am trying to set auth field value from cognito fields, currently default version is working but i could not get custom:account_id or cognito:profile values working.
In all combinations that I tried, I got ___xamznone____ in dynamo table as owner field values.

How can I make this work as described here?
https://docs.amplify.aws/cli/graphql-transformer/auth#custom-claims

Amplify CLI Version

You can use amplify -v to check the amplify cli version on your system
$ amplify -v
4.51.0

What AWS Services are you utilizing?
auth, graphql

Provide additional details e.g. code snippets

type Account
  @model
  @auth(
    rules: [
      {
        allow: groups
        groups: ["admin"]
        operations: [create, update, delete, read]
      }
      {
        allow: owner
        ownerField: "owner"
        identityClaim: "custom:account_id"
        operations: [create, read]
      }
      {
        allow: owner
        ownerField: "owner2"
        identityClaim: "profile"
        operations: [create, read]
      }
    ]
  ) {
  id: ID!
  description: String!
  owner: String

[halilduygulu]

I even tried to make authPreTokenGeneration lambda to put my custom "account_id" claim in and I can see it in browser console idToken payload. But owner in dynamo table is still ___xamznone____
I used this on schema file. both with and without provider section.

{
  allow: owner
  ownerField: "owner"
  provider: userPools
  identityField: "account_id"
  operations: [create, read] 
}

[halilduygulu]

seems like i am having this problem. different information inside idToken and accessToken
aws-amplify/amplify-data#485

[halilduygulu]

I have changed the Authorization header for graphql calls to idtoken and suddenly everything is working. This should be mentioned in documentation -> custom claims section.

[dylan-westbury]

@halilduygulu yes you can receive that information using the ID token, but question remains is this secure as it's trusting the client for that information.

There has been official responses from Amplify staff about using the ID token to access it but no response on if it's secure / a secure way to manage.

[halilduygulu]

Would not be the case if someone can edit a field in access or id token can also edit sub/username in any of these tokens so assume someone else's identity? I am not aware of details much, but my logical explanation is that all fields inside idtoken and accesstoken are equally secure. If this is not the case then I would like to learn which ones can be trusted.

[dylan-westbury]

Yes correct @halilduygulu

So we need to verify the token in some way.

I assume we need to do so like this https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/

[github-actions]

This issue has been automatically locked since there hasn't been any recent activity after it was closed. Please open a new issue for related bugs.

Looking for a help forum? We recommend joining the Amplify Community Discord server *-help channels for those types of questions.