fetchUserAttributes should use /oauth2/userInfo endpoint vs Cognito API call requiring aws.cognito.signin.user.admin scope

[andyfase]

Before opening, please confirm:

• I have searched for duplicate or closed issues and discussions.
• I have read the guide for submitting bug reports.
• I have done my best to include a minimal, self-contained set of instructions for consistently reproducing the issue.

JavaScript Framework

React

Amplify APIs

Authentication

Amplify Version

v6

Amplify Categories

auth

Backend

None

Environment information

  System:
    OS: macOS 15.2
    CPU: (10) arm64 Apple M1 Pro
    Memory: 1.18 GB / 32.00 GB
    Shell: 3.2.57 - /bin/bash
  Binaries:
    Node: 20.14.0 - ~/.n/bin/node
    Yarn: 1.22.22 - ~/.n/bin/yarn
    npm: 10.7.0 - ~/.n/bin/npm
  Browsers:
    Chrome: 132.0.6834.83
    Edge: 131.0.2903.112
    Safari: 18.2
  npmPackages:
    @aws-amplify/ui-react: ^6.5.1 => 6.5.1
    @aws-amplify/ui-react-internal:  undefined ()
    @aws-amplify/ui-react-server:  undefined ()
    @cloudscape-design/components: ^3.0.773 => 3.0.773
    @cloudscape-design/global-styles: ^1.0.32 => 1.0.32
    @eslint/js: ^9.11.1 => 9.11.1
    @tanstack/query-codemods:  undefined ()
    @tanstack/react-query: ^5.59.0 => 5.59.20
    @tanstack/react-query-devtools: ^5.58.0 => 5.58.0
    @types/node: ^22.8.4 => 22.8.4
    @types/react: ^18.3.3 => 18.3.10
    @types/react-dom: ^18.3.0 => 18.3.0
    @vitejs/plugin-react: ^4.3.1 => 4.3.1
    aws-amplify: ^6.6.2 => 6.12.1
    aws-amplify/adapter-core:  undefined ()
    aws-amplify/analytics:  undefined ()
    aws-amplify/analytics/kinesis:  undefined ()
    aws-amplify/analytics/kinesis-firehose:  undefined ()
    aws-amplify/analytics/personalize:  undefined ()
    aws-amplify/analytics/pinpoint:  undefined ()
    aws-amplify/api:  undefined ()
    aws-amplify/api/server:  undefined ()
    aws-amplify/auth:  undefined ()
    aws-amplify/auth/cognito:  undefined ()
    aws-amplify/auth/cognito/server:  undefined ()
    aws-amplify/auth/enable-oauth-listener:  undefined ()
    aws-amplify/auth/server:  undefined ()
    aws-amplify/data:  undefined ()
    aws-amplify/data/server:  undefined ()
    aws-amplify/datastore:  undefined ()
    aws-amplify/in-app-messaging:  undefined ()
    aws-amplify/in-app-messaging/pinpoint:  undefined ()
    aws-amplify/push-notifications:  undefined ()
    aws-amplify/push-notifications/pinpoint:  undefined ()
    aws-amplify/storage:  undefined ()
    aws-amplify/storage/s3:  undefined ()
    aws-amplify/storage/s3/server:  undefined ()
    aws-amplify/storage/server:  undefined ()
    aws-amplify/utils:  undefined ()
    eslint: ^9.11.1 => 9.11.1
    eslint-plugin-react: ^7.37.0 => 7.37.0
    globals: ^15.9.0 => 15.9.0 (11.12.0, 14.0.0)
    i18next-browser-languagedetector: ^8.0.0 => 8.0.0
    ky: ^1.7.2 => 1.7.2
    libphonenumber-js: ^1.11.16 => 1.11.16
    libphonenumber-js/build:  undefined ()
    libphonenumber-js/core:  undefined ()
    libphonenumber-js/max:  undefined ()
    libphonenumber-js/max/metadata:  undefined ()
    libphonenumber-js/min:  undefined ()
    libphonenumber-js/min/metadata:  undefined ()
    libphonenumber-js/mobile:  undefined ()
    libphonenumber-js/mobile/examples:  undefined ()
    libphonenumber-js/mobile/metadata:  undefined ()
    lint-staged: ^15.2.10 => 15.2.10
    prettier: ^3.3.3 => 3.3.3
    react: ^18.3.1 => 18.3.1
    react-dom: ^18.3.1 => 18.3.1
    react-i18next: ^15.0.2 => 15.0.2
    react-json-view-lite: ^2.0.1 => 2.0.1
    react-loading-skeleton: ^3.5.0 => 3.5.0
    react-router-dom: ^6.26.2 => 6.26.2
    typescript: ^5.6.2 => 5.6.2
    typescript-eslint: ^8.7.0 => 8.7.0
    vite: ^5.4.1 => 5.4.8
    zod: ^3.23.8 => 3.23.8
  npmGlobalPackages:
    @angular/cli: 18.2.8
    @microsoft/rush: 5.119.0
    aws-cdk: 2.160.0
    corepack: 0.28.1
    eslint: 9.13.0
    jsonwebtoken: 9.0.2
    npm: 10.7.0
    ts-node: 10.9.2
    typescript: 5.4.5
    yarn: 1.22.22

Describe the bug

The method fetchUserAttributes currently performs a Cognito SDK API call which therefore requires the scope aws.cognito.signin.user.admin

This is unnecessary and imo not great security wise as the aws.cognito.signin.user.admin scope allows access to ANY control plane operation that accepts an Access Token

Cognito has OAUTH endpoints that will return the same userprofile information at /oauth2/UserInfo this will return all user attributes the access token has access to - requiring only the profile scope and perhaps email and phone scope depending on what attributes are needed to be retrieved.

Expected behavior

Able to call fetchUserAttributes without setting the scope aws.cognito.signin.user.admin as that scope should not be required to just fetch user attributes.

Reproduction steps

call fetchUserAttributes without the admin scope - see that the Cognito control plane API is hit vs the oauth API

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response

[jjarvisp]

Hey @andyfase, thanks for opening this issue. We'll review internally and follow up shortly!