Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Identify user within AWS Lambda from authorization token generated via Cognito

Tags:

We are using API Gateway to expose our APIs which sits in front of AWS Lambdas. As authorizer, Cognito user pool has been used in API Gateway to authenticate the user and protect the protected endpoints. So, the general flow is, user passes the below mentioned information to get access token from cognito via an API Gateway end point (/grantToken) :

1. App client id
2. App client secret
3. username
4. password

After obtaining the access_token, user passes this authorization token in the header while accessing the protected endpoints. Cognito automatically authorizes the user, and redirects the request to specific AWS Lambdas. This much is working fine.

What I want to know is, within the lambda, from the authorization token (passed in header) - how can I determine which user's token was passed? Is there any other way to determine the identity of the authorized user? Does AWS Cognito has any use in this case?

Note : If I can get App client id from the passed authorization token, it will serve my purpose.

like image 277
Tahniat Ashraf Avatar asked Sep 08 '19 10:09

Tahniat Ashraf

1 Answers

Answers to your questions:

1. how can I determine which user's token was passed?

  • You can use any JWT token decoder like jsonwebtoken

Eg:

var jwt = require('jsonwebtoken'); // you can use import
var decoded = jwt.verify(token, secret);
console.log(decoded) // bar

2. Is there any other way to determine the identity of the authorized user?

  • you can use the access token to get user details from cognito using GetUser method.

Refer: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html

3. If I can get App client id from the passed authorization token, it will serve my purpose.

  • This is not possible to get app client id from authorization token.

  • Generally, client app ID that you received when you created the app in the your User Pools section of the AWS Management Console for aws Cognito.

  • The user pool access token contains claims about the authenticated user, but unlike the ID token, it does not include identity information. The primary purpose of the access token is to authorize API operations in the context of the user in the user pool.

Refer: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token

Right approach:

  • You should store same App client id, secret in nodejs .env file and access it whenever required. This url will help you find app client id: https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-client-apps.html

enter image description here

like image 85
Nikhil Kadam Avatar answered Oct 13 '22 01:10

Nikhil Kadam
Sign in to Comment

Related questions

Android Studio can't find classes for MotionLayout
Upgrade ansible to use python3 on controller
django-rest-framework- Filtering using 'or' on multiple values from one url parameter
Laravel small standalone one-off script without artisan command?
MapStruct inheritance, more than one configuration prototype is application
Why do I get a "Get-WindowSize" not implemented error when using the PowerShell call Get-Service on a remote machine?
Why do I need another iterator as an argument in std::copy()?
Out of space while building android Rom
Can we say that String is an object in Javascript?
How to use variable shadowed by column in dplyr mutate [duplicate]
appium cannot type in textfield
Style defined in material button is not comprehending with the AppTheme

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!