Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Getting cognito user pool username from cognito identity pool identityId

I am using AWS Congito User Pools for account management with a Cognito Identity Pool that has this User Pool as the Identity Provider. I'm using this to control access to an API through API Gateway that sends requests to Lambda. My Lambda is implemented with Java 8 using Micronaut. All of this is working fine.

In the Lambda, I'm getting the name from the Principal in the HttpRequest:

  protected String resolveUser( HttpRequest request ){
    String ret = null;

    Optional<Principal> principal = request.getUserPrincipal();
    if( principal.isPresent() ){
      ret = principal.get().getName();
    }

    if( ret == null || ret.length() == 0 ){
      ret = "unknown";
    }
    return ret;
  }

What is coming back in the string name of the Cognito identityId. Something like this:

us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx

I would like to either log the actual user login or at least have some way to convert the identityId to the login when needed.

The LookupDeveloperIdentity API call appears to be the right way to go about this, but I'm unable to get it to work.

Attempting to do this with Java and the AWS Java SDK 2:

  protected String loadUsername( String user ){
    String ret = "unknown:"+user;
    CognitoIdentityClient cognito = CognitoIdentityClient.create();

    LookupDeveloperIdentityRequest request = LookupDeveloperIdentityRequest.builder()
      .identityPoolId( identityPoolId )
      .identityId( user )
      .build();
    LookupDeveloperIdentityResponse response = cognito.lookupDeveloperIdentity( request );
    List<String> identifiers = response.developerUserIdentifierList();
    if( identifiers != null && identifiers.size() > 0 ){
      ret = identifiers.get( 0 );
    }

    return ret;    
  }

throws an exception

software.amazon.awssdk.services.cognitoidentity.model.NotAuthorizedException: You do not have access to this identity (Service: CognitoIdentity, Status Code: 400, Request ID: 64e36646-612b-4985-91d1-82aca770XXXX)

Attempting to do this via the CLI produces a similar result:

aws cognito-identity lookup-developer-identity --identity-id us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx --identity-pool-id us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx --max-results=10

An error occurred (NotAuthorizedException) when calling the LookupDeveloperIdentity operation: You do not have access to this identity

I have made sure the IAM policy in place should be able to handle this, and when I try it with a role that does not have this policy, I get a different error

    {
        "Effect": "Allow",
        "Action": [
            "cognito-identity:LookupDeveloperIdentity"
        ],
        "Resource": [
            "arn:aws:cognito-identity:us-east-1:##########:identitypool/us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx"
        ]
    }

So the questions boil down to:

  • Is this the best way to get the user pool username from the identity pool id?
    • If it is - what am I doing incorrectly?
    • If it is not - what is a better way of doing this?
like image 595
Prisoner Avatar asked Jan 02 '20 17:01

Prisoner


People also ask

How do I get user pool ID in Cognito?

In order to get your Identity Pool's ID in AWS Cognito, you have to: Open the AWS Cognito console and click on Manage Identity Pools. Select your Identity pool from the list. Click on the Edit identity pool button at the top right corner.

What is the main difference between Cognito user pool and Cognito identity pool?

With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control). You can use identity pools to create unique identities for users and give them access to other AWS services.


1 Answers

Alternative Approach

In order to retrieve the user’s User Pool user id you can retrieve in your lambda:

authProvider = event.requestContext.identity.cognitoAuthenticationProvider;

This will return a string which will include the user's User Pool user ID and it will look something like:

cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx,cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa:CognitoSignIn:qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr

Where us-east-1_aaaaaaaaa is the User Pool id and qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr is the User Pool User Id. You can then split the string and extract the user ID.

Note that these info will be different depending on the authentication provider you are using.

Then if you need the username instead of user ID you can extract it directly from user Pool by getting the appropriate details for that specific user ID.

Reference

https://serverless-stack.com/chapters/mapping-cognito-identity-id-and-user-pool-id.html

like image 136
Xanthos Symeou Avatar answered Sep 17 '22 07:09

Xanthos Symeou