Reputation: 2708
How to get the USER details from a call to HTTP API Gateway + Lambda that is authenticated with an Amazon Cognito User Pool
USER logs in in Amazon Cognito and the App/Web gets an "Access Token" that is used whenever it calls API Gateway (HTTP API or REST API).
The API Gateway is configured to use Cognito User Pool as Authorizer, so if the "Access Token" is valid the call can pass to Lambda.
So, how do I know (inside Lambda) who is the user doing the calls and what are his/her details?
Upvotes: 3
Views: 2522
Answers (1)
Reputation: 2708
This answer set me on an easy path, but I realized there is an easier one.
If you dump the content received by the Lambda (python code) like this.
And then call the API like this (GET/POST/other depends on how you defined your API)
# curl --request GET --header "Authorization: ${TOKEN}" "${GATEWAY_URL}"
You get a bunch of text. Paste it on https://jsonformatter.curiousconcept.com/ to format it nicely and you will see that within the event you have lots of info like
{
"version":"2.0",
"routeKey":"ANY /*****",
"rawPath":"/default/****",
"rawQueryString":"",
"headers":{
"accept":"*/*",
"authorization":"eyJraW...QiOi",
"content-length":"0",
"host":"*******.execute-api.eu-west-1.amazonaws.com",
"user-agent":"curl/7.52.1",
"x-amzn-trace-id":"Root=1-5ff1***eee7347",
"x-forwarded-for":"**.**.243.124",
"x-forwarded-port":"443",
"x-forwarded-proto":"https"
},
"requestContext":{
"accountId":"****",
"apiId":"*****",
"authorizer":{
"jwt":{
"claims":{
"at_hash":"-pO***Eg",
"aud":"1jk***0n0",
"auth_time":"160***928",
"cognito:username":"357d***a77de4d",
"email":"***@gmail.com",
"email_verified":"true",
"event_id":"19f7e***dc0e80",
"exp":"16***28",
"iat":"16***928",
"iss":"https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_***8z",
"name":"UserName",
"sub":"357***77de4d",
"token_use":"id"
},
"scopes":"None"
}
},
"domainName":"***.execute-api.eu-west-1.amazonaws.com",
"domainPrefix":"***",
"http":{
"method":"GET",
"path":"/default/***",
"protocol":"HTTP/1.1",
"sourceIp":"***",
"userAgent":"curl/7.52.1"
},
"requestId":"Yi***sA=",
"routeKey":"ANY /***",
"stage":"default",
"time":"02/Jan/2021:23:45:15 +0000",
"timeEpoch":1609631115197
},
"isBase64Encoded":false
}
That is, all the user details are there and you don't have to do anything to get them.
In particular, these 2 are here
event["requestContext"]["authorizer"]["jwt"]["claims"]["email"]
event["requestContext"]["authorizer"]["jwt"]["claims"]["name"]
This has even better implications.
You can leverage on HTTP API Gateway + Lambda for:
- Validation of an Access TOKEN (if not valid or expired you get an 'Unauthorized' response)
- Extraction of token scopes / details
All this within 130ms (of which you only pay for 3ms). No loading libraries, no manipulating data, no manual decoding, no bulls**t.
The only required work is to configure the User Pool and API Gateway (HTTP or REST type) to do the Authentication for you.
If you wonder where you get the value of TOKEN, it is encoded on the URL that is called after a successful login to Cognito.
Note that you may get in the response URL 2 tokens, ID_TOKEN and ACCESS_TOKEN. To get the user details you need to call the API using the ID_TOKEN.
Upvotes: 3
Related Questions
- AWS Lambda - Can't get Cognito user data in lambda function
- How to pass cognito user information to lambda?
- AWS API Gateway / Cognito Userpools / Lambdas not able to pass caller credentials
- Is there any way to get the Cognito username in AWS Lambda?
- Identify user within AWS Lambda from authorization token generated via Cognito
- How can I access user's data from an identity credential provided by a Cognito identity pool?
- How to get AWS Cognito user data inside a lambda function protected by a cognito authorizer on API gateway
- How to get a Cognito authenticated user info in a AWS Lambda function?
- Missing Cognito user information when invoking a Lambda from API Gateway
- Get the UserName of the authenticated (confirmed) user on Lambda?