Amazon Cognito now allows you to include additional contextual information in the OAuth 2.0 client credentials flow for M2M access token requests, enhancing your control over machine-based interactions. M2M authorization is commonly used for automated processes like data synchronization, event-driven workflows, and microservice communication. This capability enables customers to provide context-specific details (e.g., attributes of the machine such as IP address, location, environment; or business context like application name, tenant ID etc.) when requesting access tokens for machine-based interactions. For example, consider an organization’s internal API service that needs different access patterns across development and production environments. Using ClientMetadata, you can now specify {“environment”: “dev”} or {“environment”: “prod”} when requesting access tokens. With Cognito’s support for pre-token generation Lambda triggers , you can process this context to customize token scopes (e.g., api:read_all, api:write_restricted) and add environment-specific claims like rate limits. The API can then examine these scopes and claims to enforce appropriate access controls and rate limiting.
Without ClientMetadata parameter, customers would often need separate app clients (e.g., ‘internal-api-dev, ‘internal-api-prod’) to express contextual information, causing app client sprawl. Now, a single M2M app client can include contextual metadata with each request, reducing the need for multiple app clients, optimizing app client cost while providing context-aware authorization.
This capability is available to Amazon Cognito customers using the Essentials or Plus tiers
in AWS Regions where Cognito is available, including the AWS GovCloud (US) Regions. To learn more, refer to this developer guide
and the Pricing Detail Page
for M2M authorization flows pricing.