Amazon Cognito "A client attempted to write unauthorized attribute"
JavascriptAmazon Web-ServicesAmazon CognitoJavascript Problem Overview
I'm using the JavaScript SDK for AWS Cognito, and there are a couple of custom attributes that I just can't seem to save to and can't see why.
The problem attributes are mutable string fields as follows:
custom: role
custom: recruitingrole
custom: title
Other custom fields in the same request seem to update OK. Specifically, these ones seem to work:
custom:division
custom:linkedin
custom:location
custom:bio
When I submit via the SDK, this is returned:
{"__type":"NotAuthorizedException","message":"A client attempted to write unauthorized attribute"}
Here is the data that is sent, as show in the Chrome developer console network output:
{
"AccessToken": "",
"UserAttributes": [{
"Name": "name",
"Value": "Steve Austin"
}, {
"Name": "custom:company",
"Value": "OSI"
}, {
"Name": "custom:division",
"Value": "Bionics"
}, {
"Name": "custom:recruitingrole",
"Value": "other"
}, {
"Name": "custom:linkedin",
"Value": "http://www.linkedin.com"
}, {
"Name": "custom:location",
"Value": "Mexico City, Mexico City, Mexico"
}, {
"Name": "custom:bio",
"Value": "A man barely alive."
}]
}
Can anyone suggest why I can't save to these attributes?
thanks
Javascript Solutions
Solution 1 - Javascript
Of course the answer became clear the moment I finished posting on StackOverflow.
The problem was that I had not set permissions for these attributes in the app associated with the user pool. The documentation should make this requirement clear where it discusses custom attributes.
Solution 2 - Javascript
Just highlighting the answer from @mvandillen:
General settings -> App clients -> Show details -> Set attribute read and write permissions link
Solution 3 - Javascript
For anyone that stumbles upon this question:
Like the others suggested, you should enable the writable attributes. But if that doesn't work, make sure you use the custom:
prefix:
await Auth.signUp({
username: email,
password: password,
attributes: {
'custom:firstName': firstName,
'custom:lastName': lastName,
'custom:countryCode': countryCode
}
})
Solution 4 - Javascript
Using Amazon.Extensions.CognitoAuthentication in ASP.NET Core, you have to add:
var user = _pool.GetUser(model.Email)
user.Attributes.Add("name", model.Name);
Here name
is the custom attribute
Solution 5 - Javascript
My case is a bit different. I am using Amplify angular component and I don't have any custom attributes (standard email login type).
It turns out that the key of the sign-up fields is case-sensitive. For the uppercase 'Email' key, I will see the error. Below is the sign-up configurations
emailSignUpConfig = {
header: 'Sign up header',
hideAllDefaults: true,
defaultCountryCode: '1',
signUpFields: [
{
label: 'Email',
key: 'email', //the email should be in lower case
required: true,
displayOrder: 1,
type: 'string',
},
{
label: 'Password',
key: 'password',
required: true,
displayOrder: 2,
type: 'password',
},
],
};
Solution 6 - Javascript
After enabling writeable attributes, this is what works for me
const user = {
username:this.username,
password:this.password,
attributes:{
email:this.email,
'custom:field1': this.field1,
'custom:field2': this.field2,
'custom:field3': this.field3
}
}
OR
const user = {
username:this.username,
password:this.password,
email:this.email,
attributes:{
'custom:field1': this.field1,
'custom:field2': this.field2,
'custom:field3': this.field3
}
}
Solution 7 - Javascript
I would just like to add to the list regarding Android and Amplify's Auth lib. Along with enabling custom roles as specified above via AWS Console (General settings -> App clients -> Show details -> Set attribute read and write permissions link) you need to specify that the custom role under AuthUserAttributeKey.custom()
has the string custom:
prepended to your custom field. My assumption was that this would be excluded given the function call name. A little misleading but I hope this helps someone else out there.
TLDR;
Changed this:
AuthUserAttributeKey.custom("role");
to:
AuthUserAttributeKey.custom("custom:role");
Solution 8 - Javascript
In my case the issue was in accessing variable with incorrect name. To sum up my steps were following.
-
Add attribute: General settings -> Attributes -> Add custom attribute link
-
Ensure you set read/write permissions: General settings -> App clients -> Show details -> Set attributes permissions link
-
Do not forget to access you variable with correct name. For example if your variable named 'foo' you should get it as 'custom:foo' like below.