Some JWT tokens returned by AWSCognitoIdentityUserSession's idToken.tokenClaims are empty

[hito1402]

I am using the AWSCognitoIdentityProvider on iOS to perform Cognito user logins, and I'm trying to retrieve the group name with the following code:

func getGroupName(_ callback: @escaping (String?)->()) {
    let pool = AWSCognitoIdentityUserPool(forKey: "UserPool")
    guard let user = pool?.currentUser() else {
        callback("invalid token")
        return
    }
    user.getSession().continueWith { (task) -> Any? in
        if let tokenClaims = task.result?.idToken?.tokenClaims, let groupNames = tokenClaims["cognito:groups"] as? [String], let groupName = groupNames.first {
            callback(groupName)
        } else {
            callback(nil)
        }
        return nil
    }
}

However, I'm encountering an issue where tokenClaims returns an empty dictionary, which is not the expected behavior. This issue only occurs with some users, even though I've tested it with multiple.

Upon examining the idToken payload, I noticed that the base64-encoded payload contains hyphens ("-"). According to the JWT specification, payloads are supposed to be URL-safe, but I don't see any processing in tokenClaims that replaces hyphens with pluses ("+").

I have confirmed that replacing hyphens with pluses in the payload allows it to be correctly converted into JSON data.

Here's the related code in the AWS SDK for iOS: AWSCognitoIdentityUser.m

Environment

• AWSCognitoIdentityProvider (2.33.4):
  • AWSCognitoIdentityProviderASF (= 2.33.4)
  • AWSCore (= 2.33.4)
• AWSCognitoIdentityProviderASF (2.33.4):
  • AWSCore (= 2.33.4)

[lawmicha]

Hi @hito1402, thank you for opening this issue. We'll investigate further and will provide an update when we can.