I have an AWS gateway API that is configured to be authorized by AWS_IAM and I authenticate users using Cognito Identity pools and this API is configured to trigger a lambda function.
Now when the lambda function is invoked I am able to get the identityId and identityPoolId inside the requrestContext object passed to the lambda through the event parameter. My question is how to get the user’s info (from the cognito user pool or any other identity provider like facebook, google…) inside this lambda function? Is there any configuration I need to make in order to include the user’s info in the event param? Or should I use some sort of AWS SDK function?
This is the requestContext I am receiving in the event param:
{
requestContext:{
accountId:'1234567890',
resourceId:'abcdef',
stage:'test',
requestId:'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
identity:{
cognitoIdentityPoolId:'us-west-2:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
accountId:'1234567890',
cognitoIdentityId:'us-west-2:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
caller:'ABCDEFGHIJKLMNOPQRSTUV:CognitoIdentityCredentials',
apiKey:null,
sourceIp:'0.0.0.0',
accessKey:'ABCDEFGHIJKLMNOPQRSTUV',
cognitoAuthenticationType:'authenticated',
cognitoAuthenticationProvider:'cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxxxxxxx,cognito-idp.us-west-2.amazonaws.com/us-west-2_xxxxxxxxx:CognitoSignIn:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
userArn:'arn:aws:sts::1234567890:assumed-role/xxx-role/CognitoIdentityCredentials',
userAgent:'axios/0.16.1',
user:'ABCDEFGHIJKLMNOPQRSTUV:CognitoIdentityCredentials'
},
resourcePath:'/users',
httpMethod:'GET',
apiId:'xxxxxxxx'
}
}
2
Answers
You can use the access key to get the user information from Cognito inside your Lambda.
Cognito User Pools.
When someone successfully authenticates against a user pool Cognito issues an Access Token, Identity Token and Refresh Token – the identity token will contain all the information you’ve have allowed your app to access from the user pool attributes.
Identity Pools(federated Logins/Facebook etc)
When you receive a facebook token from your front end, you’ll need to call fb.api(‘/me’) to get the user info on the back end.
I’ve just finished working on a similar problem so here’s my advice. Personally I’d write your own authorisation mechanism and issue your own JWT tokens with the user info you want in them.
The reason being is that you can’t get a Cognito JWT token for a federated identity that will work with the Cognito authoriser on and endpoint – I believe this is on the roadmap(although I’m not privy to anything in particular that goes on within AWS).
Basically if you’re using both User Pools and Federated Identities you need a way to consistently share user info(as you’re trying to do now) so issuing your own JWT’s is the easiest solution.