bug: aws_client_metadata is not forwarded to pre token generation lambda #13267
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
I have verified this by deploying the same code to AWS.
When doing client_credentials flow, AWS supports passing a aws_client_metadata property that gets forwarded along to the pre token generation trigger.
Code is in dotnet. Here is the CDK:
Function func = ...;
UserPool pool = new UserPool(this, "user-pool", new UserPoolProps
{
UserPoolName = "Api"
});
ResourceServerScope apiAccessScope = new ResourceServerScope(new ResourceServerScopeProps
{
ScopeName = "access",
ScopeDescription = "access api"
});
UserPoolResourceServer resourceServer = pool.AddResourceServer("resource-server", new UserPoolResourceServerOptions
{
UserPoolResourceServerName = "api",
Identifier = "api",
Scopes = new ResourceServerScope[] { apiAccessScope }
});
pool.AddTrigger(UserPoolOperation.PRE_TOKEN_GENERATION_CONFIG, func, LambdaVersion.V3_0);
pool.AddClient("app-client", new UserPoolClientOptions
{
UserPoolClientName = "ServiceClient",
AuthFlows = new AuthFlow { Custom = true },
GenerateSecret = true,
AccessTokenValidity = Duration.Minutes(60),
OAuth = new OAuthSettings
{
Flows = new OAuthFlows { ClientCredentials = true },
Scopes = new OAuthScope[] { OAuthScope.ResourceServer(resourceServer, apiAccessScope) }
}
});
Here is a screenshot of my postman request:
The lambda that handles the triggered event is pretty simple. Here is the method that gets invoked:
public async Task<JObject> HandleAsync(JObject @in, CancellationToken cancellation)
{
Console.WriteLine(@in.ToString(Newtonsoft.Json.Formatting.Indented));
return @in;
}
Here is the payload that gets delivered to the lambda running in localstack:
{
"version": "$LATEST",
"triggerSource": "TokenGeneration_Authentication",
"userName": "d2by1t067qbkegvnwap59fe8oa",
"region": "us-east-1",
"userPoolId": "us-east-1_937f4e2c1fda4eff9f8b7a1a6906b55b",
"callerContext": {
"awsSdkVersion": "aws-sdk-unknown-unknown",
"clientId": "d2by1t067qbkegvnwap59fe8oa"
},
"request": {
"userAttributes": {
"exp": 1760674682,
"iss": "http://localhost.localstack.cloud:4566/us-east-1_937f4e2c1fda4eff9f8b7a1a6906b55b",
"sub": "d2by1t067qbkegvnwap59fe8oa",
"auth_time": 1760458682,
"iat": 1760458682,
"event_id": "827e679d-f802-4b7d-b4f4-36afd1afdff6",
"token_use": "id",
"jti": "efaf5cd7-4dab-469c-98ba-021a28a21e3f",
"cognito:username": "d2by1t067qbkegvnwap59fe8oa",
"aud": "d2by1t067qbkegvnwap59fe8oa"
},
"groupConfiguration": {
"groupsToOverride": [],
"iamRolesToOverride": [],
"preferredRole": null
}
},
"response": {
"claimsOverrideDetails": null
}
}
Expected Behavior
Expected behavior happens in AWS. Here the payload when the same code is running in AWS:
{
"version": "3",
"triggerSource": "TokenGeneration_ClientCredentials",
"region": "us-east-1",
"userPoolId": "us-east-1_85qdQ49V3",
"userName": "ClientCredentials",
"callerContext": {
"awsSdkVersion": "aws-sdk-unknown-unknown",
"clientId": "b8sqkeivnue4a59e0f7kc8ae5"
},
"request": {
"userAttributes": {},
"groupConfiguration": null,
"scopes": [
"api/access"
],
"clientMetadata": {
"env": "prod"
}
},
"response": {
"claimsAndScopeOverrideDetails": null
}
}
Note that request.clientMetadata is populed.
How are you starting LocalStack?
With a docker-compose file
Steps To Reproduce
- Deploy above CDK code to localsack.
- Make postman request to
https://<domain>.auth.us-east-1.amazoncognito.com/oauth2/tokenas per https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html#exchanging-client-credentials-for-an-access-token-in-request-body
Environment
- OS: Windows
- LocalStack:
LocalStack version: 4.8.1.dev5
LocalStack Docker image sha: sha256:55f49393c2a8c1d39b921a38241623028c9c085939c248aed2d0bab491ed6c66
LocalStack build date: 2025-09-12
LocalStack build git hash: f53250380Anything else?
No response