Menu
I have an authenticated user in AWS Cognito service and want to store his unique identifier in the database. Should I store user's username (it's his phone number) or his "sub" (it's his uid)? All Amazon API functions like AdminGetUser are using "username" parameter, but not sub/uid.
But I also read that article and the author said "Always generate the policy on value of 'sub' claim and not for 'username' because username is reassignable. Sub is UUID for a user which is never reassigned to another user."
So, now I'm hesitating what I have to use as unique user identifier - "username" or "sub"
Thank you.
857
With Amazon Cognito, you can save user data in datasets that contain key-value pairs. Amazon Cognito associates this data with an identity in your identity pool so that your app can access it across logins and devices.
The data is stored both locally on the device and in the Cognito sync store. Cognito can also sync this data across all of the end user's devices.
Since sub is globally unique, any restored user data will have new sub values. It will mean re-keying your app database with the new sub keys, whereas if you had used username you could restore your pool as expected.
Short description. User pools are for authentication (identity verification). With a user pool, your app users can sign in through the user pool or federate through a third-party identity provider (IdP). Identity pools are for authorization (access control).
Both options are possible.
But keep in mind that if a user with the username erlich.bachman delete his account, a new user can use this same username later and your mapping will be wrong...
A username is always required to register a user, and it cannot be changed after a user is created.
However
The username must be unique within a user pool. A username can be reused, but only after it has been deleted and is no longer in use.
You can use the sub as ID and the username as attribute in your database. This will allow you to get a user by his/her username with AdminGetUser. But also to avoid any data loss, as mentioned by @willscripted in comment.
Referencing sub risks data loss and can make it difficult to migrate or recover a userpool. Since sub is globally unique, any restored user data will have new sub values. It will mean re-keying your app database with the new sub keys, whereas if you had used username you could restore your pool as expected. @willscripted
If you prefer to use the username directly as id, you can either remove the user from your database when his/her account is deleted or use the "Pre Sign-up" trigger to prevent a user to use a username already in the database.
149
One of the current limitations (to this date) of Cognito is listing users, if you save the sub in your own database for identify your users, and later you try to recover information of this saved user from cognito is not possible, due aws doesn't allow filter by sub or custom attributes, so use username for saving an uuid and prefered_username as alias for real username.
In javascript AWS.CognitoIdentityServiceProvider.ListUser, same for others.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
