stackoom
  简体   繁体   中英

Get Cognito user pool identity in Lambda function

 原文  2018-05-28 23:18:21       amazon-web-services/ amazon-cognito

Question

I have a Lambda function handling POST requests triggered by the API Gateway. The latter is set up to authorize via a Cognito user pool authorizer. Authorization works - if I pass a user's ID token, the request is processed, if I don't I get a 401.

However, I can't get the authorized user's identity in the Lambda function. All documentation makes me believe that it should be in the context, but it isn't. I can't map it in there, either. What's more, there doesn't seem to be a way to query the user pool for a user given their ID token, either.

Do I need an identity pool to accomplish this? If so, how does that work? And why wouldn't the API gateway automatically pass on the user's identity?

2 answers

solution1
 21 ACCPTED  2018-06-01 01:05:33

It depends on if you have Use Lambda Proxy Integration selected in the Integration Request for the lambda. If you have it set then all the token's claims will be passed through on event.requestContext.authorizer.claims .

If you are not using Lambda Proxy Integration then you need to use a Body Mapping Template in the Integration Request for the lambda. An example template with the application/json Content-Type is:

"context" : {
    "sub" : "$context.authorizer.claims.sub",
    "username" : "$context.authorizer.claims['cognito:username']",
    "email" : "$context.authorizer.claims.email",
    "userId" : "$context.authorizer.claims['custom:userId']"
}

This is expecting that there is a custom attribute called userId in the User Pool of course, and they are readable by the client.

You cannot use the id token against the aws cognito-idp APIs, you need to use the access token. You can however use AdminGetUser call with the username, if your lambda is authorized.

solution2
 1  2018-11-18 23:18:28

Use the event.requestContext.authorizer.claims.sub to get user's Cognito identity sub , which is basically their ID. This assumes you're using Proxy Integration with API Gateway and Lambda.

Here's a simple example using Node; should be similar across other SDKs.

exports.handler = async (event, context, callback) => {
    let cognitoIdentity = event.requestContext.authorizer.claims.sub

    // do something with `cognitoIdentity` here

    const response = {
        statusCode: 200,
        headers: {
            "Access-Control-Allow-Origin": "*"
        },        
        body: JSON.stringify("some data for user"),
    };
    return response;
};

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Lambda - How to use context.identity.cognitoIdentityId to get related Cognito User Pool user data? How to get Cognito Identity ID given the Cognito User Pool ID? AWS Cognito & Lambda: add federated identity to user pool Triggering a Lambda function upon deleting a user on AWS Cognito User Pool Get identity provider oauth tokens in AWS cognito user pool aws - is it possible to use Cognito user pool custom field in lambda function? Getting cognito user pool username from cognito identity pool identityId Get Cognito user attributes in Lambda function Stop Unauthenticated Cognito Identity User Pool Signup AWS Cognito user pool identity REST examples
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM