Federated user fails to update mutable attributes with a 400 response: "Access Token does not have required scopes"

Describe the bug Using “aws-amplify”: “3.0.22”, when a federated user from an external identity provider (e.g. Google) tries to update a mutable (in my case custom) attribute, it gets a 400 error as follows:

code: "NotAuthorizedException" message: "Access Token does not have required scopes" name: "NotAuthorizedException"

Please note that an internal user can successfully update the attribute and hence, all the scopes on the client and Cognito sides are set correctly.

To Reproduce Steps to reproduce the behavior:

1. Setup an external identity provider e.g. Google and enable it on the app client settings
2. Configure right readable and writable attributes
3. Use the following code to update an attribute

const user = await Auth.currentAuthenticatedUser(); const result = await Auth.updateUserAttributes(user, { 'custom:role':'myRole'});

Expected behavior Be able to update a mutable attribute which is not mapped from the external identity provider

Observed behavior 400 response code:

https://cognito-idp.ap-southeast-2.amazonaws.com/ 400 (anonymous) @ VM284:1 request @ Client.js:101 updateAttributes @ CognitoUser.js:1011 (anonymous) @ Auth.ts:1035 Promise.then (async) (anonymous) @ Auth.ts:1025 AuthClass.updateUserAttributes @ Auth.ts:1024 (anonymous) @ authSlice.js:214 async function (async) (anonymous) @ authSlice.js:213 (anonymous) @ index.js:8 (anonymous) @ immutableStateInvariantMiddleware.ts:262 dispatch @ VM287:1 handleSetRole @ Role.js:23 onClick @ Role.js:55 onClick @ Button.js:52 callCallback @ react-dom.development.js:188 invokeGuardedCallbackDev @ react-dom.development.js:237 invokeGuardedCallback @ react-dom.development.js:292 invokeGuardedCallbackAndCatchFirstError @ react-dom.development.js:306 executeDispatch @ react-dom.development.js:389 executeDispatchesInOrder @ react-dom.development.js:411 executeDispatchesAndRelease @ react-dom.development.js:3278 executeDispatchesAndReleaseTopLevel @ react-dom.development.js:3287 forEachAccumulated @ react-dom.development.js:3259 runEventsInBatch @ react-dom.development.js:3304 runExtractedPluginEventsInBatch @ react-dom.development.js:3514 handleTopLevel @ react-dom.development.js:3558 batchedEventUpdates$1 @ react-dom.development.js:21871 batchedEventUpdates @ react-dom.development.js:795 dispatchEventForLegacyPluginEventSystem @ react-dom.development.js:3568 attemptToDispatchEvent @ react-dom.development.js:4267 dispatchEvent @ react-dom.development.js:4189 unstable_runWithPriority @ scheduler.development.js:653 runWithPriority$1 @ react-dom.development.js:11039 discreteUpdates$1 @ react-dom.development.js:21887 discreteUpdates @ react-dom.development.js:806 dispatchDiscreteEvent @ react-dom.development.js:4168 authSlice.js:220 {code: "NotAuthorizedException", name: "NotAuthorizedException", message: "Access Token does not have required scopes"}

What is Configured? :

{
 Auth: {
     identityPoolId: 'XX-XXXX-X:XXXXXXXX-XXXX-1234-abcd-1234567890ab',
     region: 'XX-XXXX-X',
     identityPoolRegion: 'XX-XXXX-X',
     userPoolId: 'XX-XXXX-X_abcd1234',
     userPoolWebClientId: 'a1b2c3d4e5f6g7h8i9j0k1l2m3',
     mandatorySignIn: false,
     oauth: {
         domain: 'your_cognito_domain',
         scope: ['phone', 'email', 'profile', 'openid'],
         redirectSignIn: 'http://localhost:3000/',
         redirectSignOut: 'http://localhost:3000/',
         responseType: 'code' 
        }
    }
}