From e70911fd35e56360359cf15634fe3058c1507776 Mon Sep 17 00:00:00 2001 From: Bert Blommers Date: Sun, 12 Mar 2023 09:19:33 -0100 Subject: [PATCH] CognitoIDP: ID-token has different key for username (#6056) --- moto/cognitoidp/models.py | 2 +- tests/test_cognitoidp/test_cognitoidp.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/moto/cognitoidp/models.py b/moto/cognitoidp/models.py index 0c1cda80e..20b49a8c0 100644 --- a/moto/cognitoidp/models.py +++ b/moto/cognitoidp/models.py @@ -539,7 +539,7 @@ class CognitoIdpUserPool(BaseModel): "token_use": token_use, "auth_time": now, "exp": now + expires_in, - "username": username, + "username" if token_use == "access" else "cognito:username": username, } payload.update(extra_data or {}) headers = {"kid": "dummy"} # KID as present in jwks-public.json diff --git a/tests/test_cognitoidp/test_cognitoidp.py b/tests/test_cognitoidp/test_cognitoidp.py index fb91777bc..bb9bbacc2 100644 --- a/tests/test_cognitoidp/test_cognitoidp.py +++ b/tests/test_cognitoidp/test_cognitoidp.py @@ -2893,6 +2893,7 @@ def test_token_legitimacy(): id_claims["iss"].should.equal(issuer) id_claims["aud"].should.equal(client_id) id_claims["token_use"].should.equal("id") + id_claims["cognito:username"].should.equal(username) for k, v in outputs["additional_fields"].items(): id_claims[k].should.equal(v) access_claims = json.loads(jws.verify(access_token, json_web_key, "RS256"))