Incorrect `username` field in authorizer request context and cognito JWT

Platform
1

We have cognito as auth service and we set up passwordless auth flow with phone number. It works in the real environment, but not really in localstack. The issues happens when we read username from authorizer request context like this event.requestContext.authorizer.claims.username. We expect driverUuid but find user phone number.

This is how we create users:

.adminCreateUser({
  UserPoolId: getEnvVar('END_USER_COGNITO_USER_POOL'),
  Username: driverUuid,
  MessageAction: 'SUPPRESS',
  UserAttributes: [
    {
      Name: 'name',
      Value: `${firstName} ${lastName}`,
    },
    {
      Name: 'phone_number',
      Value: phoneNumber,
    },
    {
      Name: 'phone_number_verified',
      Value: 'true',
    },
  ],
})

And how we authorize them:

.initiateAuth({
  AuthFlow: 'USER_PASSWORD_AUTH',
  ClientId: cognitoClient,
  AuthParameters: {
    USERNAME: username, // here username is a phone number
    PASSWORD: password,
  },
})

USERNAME can be either email or phone. In our case it is phone.

When expecting tokens returned by initiateAuth method we found some inconsistence. In access token “username” field is set to phone number, which I believe should be driverUuid which we use to create a user.

{
  "exp": 1721815790,
  "iss": "http://localhost.localstack.cloud:4566/us-west-2_8a0595d985f64569b36f0c7a6317de8a",
  "sub": "c45bc2b1-4c90-418c-a2fc-31a8ea779543",
  "auth_time": 1721812190,
  "iat": 1721812190,
  "event_id": "e233e71e-f96c-4c75-ae38-9b6e4c051080",
  "token_use": "access",
  "username": "+12132014585",
  "jti": "accdfd34-b7af-487e-95a8-04a7e69f89ad",
  "client_id": "d42tnj2uae4qqodtmhia316e0p",
  "scope": "aws.cognito.signin.user.admin"
}

The same goes for id token, but now in “cognito:username” field

{
  "exp": 1721815790,
  "iss": "http://localhost.localstack.cloud:4566/us-west-2_8a0595d985f64569b36f0c7a6317de8a",
  "sub": "c45bc2b1-4c90-418c-a2fc-31a8ea779543",
  "auth_time": 1721812190,
  "iat": 1721812190,
  "event_id": "e233e71e-f96c-4c75-ae38-9b6e4c051080",
  "token_use": "id",
  "cognito:username": "+12132014585",
  "aud": "d42tnj2uae4qqodtmhia316e0p",
  "name": "Mnenk Gzosn",
  "phone_number": "+12132014585",
  "phone_number_verified": "true",
  "cognito:user_status": "CONFIRMED"
}

Here is that user in cognito

{
    "Username": "e919d81c-0cdf-45e9-8c46-1ea88c35ea51",
    "Attributes": [
        {
            "Name": "name",
            "Value": "Mnenk Gzosn"
        },
        {
            "Name": "phone_number",
            "Value": "+12132014585"
        },
        {
            "Name": "phone_number_verified",
            "Value": "true"
        },
        {
            "Name": "sub",
            "Value": "c45bc2b1-4c90-418c-a2fc-31a8ea779543"
        },
        {
            "Name": "cognito:username",
            "Value": "e919d81c-0cdf-45e9-8c46-1ea88c35ea51"
        }
    ],
    "UserCreateDate": 1721812190.053846,
    "UserLastModifiedDate": 1721812190.053846,
    "Enabled": true,
    "UserStatus": "CONFIRMED"
}

And user pool configuration

{
    "UserPool": {
        "Id": "us-west-2_8a0595d985f64569b36f0c7a6317de8a",
        "Name": "e2e--infrastructure--EndUserCognitoUserPoolV2",
        "Policies": {
            "PasswordPolicy": {
                "MinimumLength": 8,
                "RequireUppercase": false,
                "RequireLowercase": false,
                "RequireNumbers": true,
                "RequireSymbols": true
            }
        },
        "DeletionProtection": "INACTIVE",
        "LambdaConfig": {
            "DefineAuthChallenge": "arn:aws:lambda:us-west-2:000000000000:function:e2e--auth-api--end-user-define-auth-challenge",
            "CreateAuthChallenge": "arn:aws:lambda:us-west-2:000000000000:function:e2e--auth-api--end-user-create-auth-challenge",
            "VerifyAuthChallengeResponse": "arn:aws:lambda:us-west-2:000000000000:function:e2e--auth-api--end-user-verify-auth-challenge",
            "UserMigration": "arn:aws:lambda:us-west-2:000000000000:function:e2e--auth-api--end-user-lazy-migrate-cognito-pool"
        },
        "LastModifiedDate": 1721779014.161951,
        "CreationDate": 1721779014.161955,
        "SchemaAttributes": [
            {
                "Name": "email",
                "AttributeDataType": "String",
                "Mutable": true,
                "Required": false
            },
            {
                "Name": "name",
                "AttributeDataType": "String",
                "Mutable": true,
                "Required": true
            },
            {
                "Name": "phone_number",
                "AttributeDataType": "String",
                "Mutable": true,
                "Required": true
            },
            {
                "Name": "stripe_customer",
                "AttributeDataType": "String",
                "Mutable": true
            }
        ],
        "AliasAttributes": [
            "email",
            "phone_number"
        ],
        "VerificationMessageTemplate": {
            "DefaultEmailOption": "CONFIRM_WITH_CODE"
        },
        "UserAttributeUpdateSettings": {
            "AttributesRequireVerificationBeforeUpdate": []
        },
        "MfaConfiguration": "OFF",
        "EstimatedNumberOfUsers": 6,
        "EmailConfiguration": {
            "EmailSendingAccount": "COGNITO_DEFAULT"
        },
        "AdminCreateUserConfig": {
            "AllowAdminCreateUserOnly": false
        },
        "Arn": "arn:aws:cognito-idp:us-west-2:000000000000:userpool/us-west-2_8a0595d985f64569b36f0c7a6317de8a"
    }
}

Username field in tokens and authorizer context should be the username specified in create user request.

2

This isue has been fixed in the last Localstack’s image. You can update your image by running localstack update docker-images or docker pull localstack/localstack:latest