Reputation: 1050
Identify user within AWS Lambda from authorization token generated via Cognito
We are using API Gateway to expose our APIs which sits in front of AWS Lambdas. As authorizer, Cognito user pool has been used in API Gateway to authenticate the user and protect the protected endpoints. So, the general flow is, user passes the below mentioned information to get access token from cognito via an API Gateway end point (/grantToken) :
1. App client id
2. App client secret
3. username
4. password
After obtaining the access_token, user passes this authorization token in the header while accessing the protected endpoints. Cognito automatically authorizes the user, and redirects the request to specific AWS Lambdas. This much is working fine.
What I want to know is, within the lambda, from the authorization token (passed in header) - how can I determine which user's token was passed? Is there any other way to determine the identity of the authorized user? Does AWS Cognito has any use in this case?
Note : If I can get App client id from the passed authorization token, it will serve my purpose.
Upvotes: 5
Views: 2994
Answers (3)
Reputation: 5828
For Googlers:
If you want to access JWT claims in Lambda, after authorizer has done its job, find them under the event parameter, which is the first parameter passed to your Lambda.
This is true for HTTP API with JWT Authorizer (Cognito-backed), should also work in other situations.
The document is again confusing to indicate using $context, this is not required by HTTP API + Lambda + JWT Authorizer.
Upvotes: 1
Reputation: 143
Answers to your questions:
1. how can I determine which user's token was passed?
- You can use any JWT token decoder like jsonwebtoken
Eg:
var jwt = require('jsonwebtoken'); // you can use import
var decoded = jwt.verify(token, secret);
console.log(decoded) // bar
2. Is there any other way to determine the identity of the authorized user?
- you can use the access token to get user details from cognito using GetUser method.
Refer: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
3. If I can get App client id from the passed authorization token, it will serve my purpose.
This is not possible to get app client id from authorization token.
Generally, client app ID that you received when you created the app in the your User Pools section of the AWS Management Console for aws Cognito.
The user pool access token contains claims about the authenticated user, but unlike the ID token, it does not include identity information. The primary purpose of the access token is to authorize API operations in the context of the user in the user pool.
Right approach:
- You should store same App client id, secret in nodejs .env file and access it whenever required. This url will help you find app client id: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html
Upvotes: 2
Reputation: 4480
You can use the GetUser API to exchange the access_token for user details which includes their username. Just update your lambda code to make this call.
Upvotes: 1
Related Questions
- Retrieving cognito user ID in Lambda
- How to pass cognito user information to lambda?
- How to get the USER details from a call to HTTP API Gateway + Lambda that is authenticated with an Amazon Cognito User Pool
- Cognito authorizing a user through AWS lambda function
- How to make AWS Cognito User Data available to Lambda via API Gateway, without an Authorizer?
- AWS: Using id token and access token generated by cognito in lambda functions
- How to get AWS Cognito user data inside a lambda function protected by a cognito authorizer on API gateway
- Missing Cognito user information when invoking a Lambda from API Gateway
- Use custom authorization logic with AWS Cognito authentication
- Get the UserName of the authenticated (confirmed) user on Lambda?