Skip to content

chore(cognito): validate custom attribute names don't conflict with standard attributes #36010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(cognito): validate custom attribute names don't conflict with standard attributes #36010

wants to merge 1 commit into from
+105 −0

Conversation

@pahud
Copy link
Contributor

@pahud pahud commented Nov 11, 2025

Issue # (if applicable)

Closes #31593.

Reason for this change

Custom attributes in Cognito User Pools with names matching standard attributes (e.g., name, email, phone_number) were silently dropped by CloudFormation during deployment. This led to runtime failures with no clear indication of the problem, making it difficult for developers to diagnose the issue.

Description of changes

Added synthesis-time validation in the UserPool.schemaConfiguration method to detect name collisions between custom attributes and standard attributes:

  • Validates custom attribute names against all 20 standard attribute names during CDK synthesis
  • Throws a clear ValidationError with the conflicting attribute name and a complete list of standard attributes
  • Properly handles CloudFormation Tokens (parameters) by skipping validation for unresolved values
  • Provides actionable error messages that guide developers to rename conflicting attributes

Example error message:

Custom attribute 'name' conflicts with a standard attribute name. 
Custom attributes cannot use the same name as standard attributes. 
Standard attribute names: address, birthdate, email, family_name, gender, 
given_name, locale, middle_name, name, nickname, phone_number, picture, 
preferred_username, profile, zoneinfo, updated_at, website, email_verified, 
phone_number_verified

Standard attributes validated (20 total):
address, birthdate, email, family_name, gender, given_name, locale, middle_name, name, nickname, phone_number, picture, preferred_username, profile, zoneinfo, updated_at, website, email_verified, phone_number_verified

Breaking changes: None. This change only affects code that was already broken (silent failures). Existing valid configurations continue to work unchanged.

Describe any new or updated permissions being added

N/A - No IAM permissions or resource access changes.

Description of how you validated changes

  • Unit tests: Added 5 comprehensive test cases covering:

    • Single collision detection (e.g., custom attribute named name)
    • Multiple collision detection across different standard attribute names
    • Valid non-conflicting custom attribute names
    • CloudFormation parameter handling (Token.isUnresolved)
    • Error message completeness and clarity

  • Test results: All 344 existing tests pass (100% success rate), plus 5 new tests

  • Regression testing: Verified no impact on existing functionality

  • JSII compatibility: Confirmed ValidationError works across all language bindings

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@pahud
feat(cognito): prevent custom attributes from conflicting with standa…
353be86 
…rd attributes

- Add validation to ensure custom Cognito user pool attributes do not use names of standard attributes
- Throw a descriptive ValidationError when a custom attribute name conflicts with a standard attribute
- Include a comprehensive error message listing all standard attribute names
- Add test cases to verify attribute name validation for various scenarios
- Support CloudFormation parameter-based attribute names to maintain flexibility
- Improve error handling and provide clear guidance for attribute configuration
@github-actions github-actions bot added bug This issue is a bug. effort/medium Medium work item – several days of effort p2 labels Nov 11, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team November 11, 2025 13:56
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/medium Medium work item – several days of effort p2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

aws-cognito: Custom attributes cannot have the same name as standard attributes

1 participant

@pahud