Get AWS Cognito JWT token from Federated Identity credentials

Question

I have an old big project written in objective-c that can't be migrated by the moment.

We have integrated Cognito sign-up and login without any problem, retrieving the session JWT token that is sent to a Lambda function which decoded it and extractd the user id (sub)

Now, we need to add Federated Identities for Google and Facebook to log in. The first step is already doen, we log in with FB/AppleId, register the user in Cognito's identity pool and get the temporary credentials.

But, is there any way to get a Cognito JWT token to send to the Lambda functions so the Lambda can extract the user id as with Cognito login?

This is a sample credentials response.

    AccessKey: ASIAXQHR5J112WSRIYII
SecretKey: hBIpbSXvYu6Qs4GWd3arAS0JUNqYhIx8qKFB2osv
SessionKey: IQoJb3JpZ2luX2VjEB0aCWV1LXdlc3QtMSJIMEYCIQC0AJj8YcfM6CxXN0yY6VAsmqAIQIqd1s+TnIfOylvg0AIhALBOl334WewTS4chHJjUJozQpjUPkFHGmiuA24iv3FzvKpoECBYQABoMNTE1OTAzNDA5ODU5IgzTfJRwWTTgF/Vuyl8q9wNc+MEFNyXxEr39LmNmH9ftSno74u7deW2riAatFPAQUgeg5NVcV3AvsJtV7zhBHlI53W1DLdw0GlspLuaEyFbzEhoqYhB2lbeYFcf8ycieNtzyftPCv+ea1PMgDKzpTx+KhnYxpTULo5Pr+lII6CJuX88/BRdE+FEeJ8PJ9wZeXjqBO5egkEw9aWcHAe1rZK8yy6wwbIqo7j6V4sIWefivD1TDN0BsRU0lLQ3ZkRmdc5sptipecvQ5fTRaoIWzvtC0CdRacHoPTjMzCtfewMWQ1cCeq/LGsYzRtuFd0qDtNNX7FMSQdrwbt8pnFUxBKPJ9rDT+mOliqaWU7L73hlKLcY2HuBnycLCjnqYu1V0JDYtN2+Co9oHQIcfX5c5e8bPIp6jBQ5sVwizkp07LA0franRRrQzPQlZ2sJTKaNO1W85L6wJWd7DIaN72NL88WzSYzWbESxmjcvsfR3mQ0W8vKlsdxv0apHlJrcjAtAedbkSt3cR18eMgPyFXdudRmU0hWQBW4Oqe7fm9GCf+Ba1fTpjP1GMJw8FLIs798OTUUlCC3VF82iD5wTeU5uWTBAFLt3FE8fbxiCZ1Av0S7HPt+N8mS8d8U66/v/l/tkWVu22NMlXDjVyb87Ik0dzA9AovX/xvxMgPvTPWr9NvqM5kpQdOKxXEezC2hKT6BTqEApjGw3xilPSIdZyJ4KSTOKFzFGDjSOmZ69VOzf8XbjSENhhDFxEU3LaBGbblC9Hhjs+5dO21m2hPac2C85pTngkezckdgrh2ZTK6loGXnFvs5Uzbb4h3fPdHvw7cgU2HgMlyBTcd3k30hUULci+YJvSN6k1tA//VE8NykgGppWCd0OjQlXXi9/05PWSSAKL6lI9IGZfNuGvwO8K3GcNhP8IVRgbg9N7Nstd6+NParBNvhLayoeKo+j7AcfT6CEfUjO6iZMtK5vxHCC0mPclsmLpXu1MqEsSExIAX2R6vpniSVzzqLYDesZJFY/XKQKQKvUt7ryhStVwTfJHGGF1asB5ANF5t
Expiration: 2020-08-28 14:10:14 +0000

Thanks in advance!

Answer 1

For everyone coming here just to get the Cognito user sub, you can access it in event.requestContext.identity.cognitoAuthenticationProvider inside the lambda if it's a proxy or $.context.identity.cognitoIdentityId in the request template if not.

You'll get something like

cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx,cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx:CognitoSignIn:yyyyyy-yyyyy-yyyyy-yyyy

where the yyyyyy-yyyyy-yyyyy-yyyy is the Cognito sub.

See https://sst.dev/chapters/mapping-cognito-identity-id-and-user-pool-id.html

Answer 2

Perhaps you don't need to use an Identity Pool at all, and can just stick with the User Pool by itself. You can in fact configure 3rd party sign-ins via the User Pool.

If you go into your User Pool in the AWS console and have a look at the bottom of the menu, you will see "Federation". You can set up Federation here without needing an Identity Pool.

1. You can click on the "Identity Providers" link where you can enter the credentials and OAuth scopes for each of the 3rd Party Identity Providers (e.g Facebook) that you want the user to be able to log in with.
2. Then you can click on the "Attribute Mapping" link and configure the mapping of user data from each of the 3rd parties to the same values in your User Pool, so that no matter where the user has come from it is stored with the same properties in the user directory of the User Pool.
3. Once you have configured a 3rd party identity provider in the User Pool, it will appear as an option in the "Enabled Identity Providers" shown in the "App Client Settings" for a user pool.
4. When you enable the 3rd party identity providers in "App Client Settings", then the buttons for those providers will appear in your Hosted UI view (if you are using the Hosted UI). E.g. a Facebook, or Google+ button will appear so that your users can authenticate using them.
5. Now whether you sign in via Facebook, Google, or using a username and password, you will always get the JWTs returned that will have standardised claim (property) names (because of the attribute mapping), plus the User Pool sub.