Reputation: 2658
AWS Lambda - Can't get Cognito user data in lambda function
I am trying to get Cognito user data in a lambda function. I am trying to pass it to lambda using body mapping template as
{
"cognito-authentication-provider" : "$context.identity.cognitoAuthenticationProvider",
"cognito-authentication-type" : "$context.identity.cognitoAuthenticationType",
"cognito-identity-id" : "$context.identity.cognitoIdentityId",
"cognito-identity-pool-id" : "$context.identity.cognitoIdentityPoolId",
}
But, in the lambda function, the data is coming empty as
'cognito-authentication-provider': '',
'cognito-authentication-type': '',
'cognito-identity-id': '',
'cognito-identity-pool-id': ''
Please help me solve this.
Thanks...
EDIT:
Added Cognito authentication dev-dummy-auth as
Upvotes: 0
Views: 1999
Answers (3)
Reputation: 12033
If you enable Use Lambda Proxy inegration in Integration Request, ewverything will show up in event['requestContext']['authorizer']['claims']
Upvotes: 0
Reputation: 2155
To build on Dilip Kola's answer. It appears that the context variables you are trying to access do not exist for the authorization method you are using.
The only way I can see to get the token information to the underlying Lambda service is to pass the whole token down and open it in the Lambda with an appropriate library for the language you are using.
You can pass the token by adding a line to your body mapping template.
{"Authorization" : "$input.params().header.get('Authorization')"}
A Cognito ID token is in the form of a JWT (JSON Web Token). The ISS claim is in the format https://cognito-idp.{region}.amazonaws.com/{userPoolId}.
Update - To include information about User Groups
The Cognito Identity token does not contain the User Groups of the user who was issued the token.
To restrict API access to individuals in certain User Groups, you will have to change your authentication method to AWS_IAM Authorizer using Cognito Federated Identities.
An alternative would be to use a custom attribute such as role in Cognito marking certain users as Admin, User, etc (as these can be passed in the id token) then evaluating that custom attribute. If you were going to go down this route, I would move to a Custom Lambda Authorizer method of authentication. This way you can check the custom attributes at the same time you validate the token, so requests don't ever reach the backend if the user does not have the correct access rights.
Upvotes: 1
Reputation: 212
https://docs.aws.amazon.com/apigateway/latest/developerguide/api-gateway-mapping-template-reference.html#context-variable-reference You are referring to the context variables for API request using cognito identity pool credentials, when you use cognito user pool authorizer these won’t be available.
Upvotes: 1
Related Questions
- Get Cognito user attributes in Lambda function
- Retrieving cognito user ID in Lambda
- How to pass cognito user information to lambda?
- Unable to fetch user information from AWS cognito using AWS Lambda service
- AWS Lambda function context.identity.cognito_identity_id returns null
- AWS: List Cognito Users within Lambda Function
- How to get AWS Cognito user data inside a lambda function protected by a cognito authorizer on API gateway
- How to get a Cognito authenticated user info in a AWS Lambda function?
- Missing Cognito user information when invoking a Lambda from API Gateway
- Cognito Identity Not Passed Into AWS Lambda function