JwtPayload type from aws-amplify/auth is missing cognito:groups attribute

[NicoPowers]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

CDK

Environment information

Details

# Put output below this line
 System:
    OS: Linux 5.15 Ubuntu 22.04.3 LTS 22.04.3 LTS (Jammy Jellyfish)
    CPU: (32) x64 13th Gen Intel(R) Core(TM) i9-13900K
    Memory: 12.47 GB / 15.50 GB
    Container: Yes
    Shell: 5.1.16 - /bin/bash
  Binaries:
    Node: 20.9.0 - ~/.nvm/versions/node/v20.9.0/bin/node
    Yarn: 1.22.21 - ~/.nvm/versions/node/v20.9.0/bin/yarn
    npm: 10.1.0 - ~/.nvm/versions/node/v20.9.0/bin/npm
    pnpm: 8.15.1 - ~/.nvm/versions/node/v20.9.0/bin/pnpm
  npmPackages:
    @tsconfig/node18: ^18.2.2 => 18.2.2 
    aws-cdk-lib: 2.124.0 => 2.124.0 
    constructs: 10.3.0 => 10.3.0 
    sst: ^2.40.3 => 2.40.3 
    typescript: ^5.3.3 => 5.3.3 
  npmGlobalPackages:
    corepack: 0.20.0
    npm: 10.1.0

Describe the bug

When using fetchAuthSession to retrieve the JWT payload of a signed in user, i can get the payload by doing:

fetchAuthSession().then((session): void => {
      const token = session?.tokens?.idToken;      
      if (!token) {
        console.log("No token found");
        return;
      }
      const payload = token.payload;

However, all of my users will be assigned to some cognito user group, so I would expect the type of payload to contain cognito:groups, but it does not:

interface JwtPayloadStandardFields {
    exp?: number;
    iss?: string;
    aud?: string | string[];
    nbf?: number;
    iat?: number;
    scope?: string;
    jti?: string;
    sub?: string;
   cognito:groups?: string[]; <--- THIS IS MISSING
}

When i console log my payload it shows this:

And in fact, there is no scope as well, why is that?

Expected behavior

The types for JwtPayloadStandardFields should contain cognito:groups, especially since the authorized user is being fetched by cognito which inherently supports groups.

Reproduction steps

1. Start up a basic amplify app with auth
2. Add custom user pool groups like Admin or SuperUser
3. Attach the Authenticator HOC to the root of the app
4. Create a user and assign a cognito user pool group to that user
5. Fetch and console log the idToken payload as so:

import { fetchAuthSession} from "aws-amplify/auth";
...

useEffect(() => {
    fetchAuthSession().then((session): void => {
      const token = session?.tokens?.idToken;      
      if (!token) {
        console.log("No token found");
        return;
      }
      const payload = token.payload;
      if (!payload) {
        console.log("No payload found");
        return;
      }
      console.log("Payload found", payload); <--- shows cognito:groups but types does not contain that
    });
  }, []);

Code Snippet

// Put your code below this line.

Log output

Details

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[cwomack]

Hey, @NicoPowers 👋. Was this working for you previously with a v5 app and when upgrading you're saying that there's a difference in what's returned in the JWT in v6? The cognito:groups attribute should be part of the ID Token and access token returned from Cognito.

Also, can you double check if the user that you're logging in with and experiencing this with is actually in any Cognito User Pool groups? I believe Cognito will not return the cognito:groups claim within the JWT's if a user doesn't belong to a group.

[cwomack]

Closing this issue as we have not heard back from you. If you are still experiencing this, please feel free to reply back and provide any information previously requested and we'd be happy to re-open the issue.

Thank you!

[nathanielrindlaub]

@cwomack, I'm encountering the same issue as @NicoPowers. The problem is that the JWTPayloadStandardFields type interface (defined here) is incomplete.

My authed JWT payload looks like this:

{
    "sub": <sub>,
    "cognito:groups": [
        "superuser",
        "scout/moss_landing/administrator",
        "scout/test_team/administrator"
    ],
    "email_verified": true,
    "iss": <iss>,
    "cognito:username": <username>,
    "origin_jti": <origin_jti>,
    "aud": <aud>,
    "event_id": <event_id>,
    "token_use": "id",
    "auth_time": 1714577094,
    "exp": 1714580694,
    "iat": 1714577094,
    "jti": <jti>
    "email": <email>
}

And because payload.email and payload["cognito:groups"] (and others properties) are not defined in the interface, when I try to use them typescript complains about accessing properties it doesn't know about.

[rhasankolli-nsre]

This is happening to me. Amplify gen 1 was adding this, gen2 is not. The congito:groups does not show up. Why do they keep closing these actual issues without fixing them. You wait until no one answers your question, then close the issue. Do you feel you are doing a good job? This is an actual issue, it affects real world people and you job is not to just close things due to inactivity, I mean, what about the inactivity on this comment from 9 months ago??? Does that matter? This is an issue, It is easily replicated, always replicated, and does not need to be close by you but fixed by someone.

[StijnArts]

Issue persists to this day

[cookiejest]

still broken

[caiotracera]

still broken