Finding user associated with a Cognito Identity

1
votes

Is it possible to find which user (within a user pool) a given cognito identity belongs to. In the AWS Console? Programmatically ?

In a Cognito Identity Pool, identities look like <region>:<guid>. When those identities come from a Cognito User Pool, then in the AWS Console, we can click on the identity and get access to some information. That information is limited to DateCreated and LinkedLogin=cognito-idp.<region>.amazonaws.com/<userpool_id> which only tells you this identity comes from Cognito User Pool and which pool, but that is far from actually useful. Can we actually tell which user within the user pool?

2
amazon-web-servicesamazon-cognitoaws-cognito

2 Answers

2
votes

After speaking to AWS developer support I found that it's not possible to link a Cognito Identity back to a user in a Cognito User Pool

Hence, if you need to know which user your backend is executing code on behalf of, in a lambda perhaps, you have the following options:

  • Send user info inside the request. Even if the lambda invocation is authenticated with a Cognito Identity, and the lambda has access to the identity in the lambda's context, if you want user info you need to send it yourself. For exemple send the ID Token in the request, validate it server side, and extract user info from it.

  • Use Cognito Sync to create a dataset for your Cognito Identities. Store a bit of user info inside the dataset.

0
votes

In the context of a node.js lambda, I can obtain the user pool identity via the following:

function getAuthenticatedUser(env, event) {
    let cognitoClient = 
        new AWS.CognitoIdentityServiceProvider(env.cognito.region);

    let userSub = event.requestContext.identity
        .cognitoAuthenticationProvider.split(':CognitoSignIn:')[1];

    let request = {
        UserPoolId: env.cognito.userPoolId,
        Filter: `sub = "${userSub}"`,
        Limit: 1
    };

    console.log(JSON.stringify(request, null, 2));
    return cognitoClient.listUsers(request).promise()
        .then((data) => {
            console.log('Cognito users list...');
            console.log(JSON.stringify(data,null,2));
            return data.Users[0]
        });
}

Where event is the standard Event structure passed into the lambda on execution. (See the API Gateway Proxy Request Event in the online AWS documentation on lambda event payloads).