Identify user within AWS Lambda from authorization token generated via Cognito

3
votes

We are using API Gateway to expose our APIs which sits in front of AWS Lambdas. As authorizer, Cognito user pool has been used in API Gateway to authenticate the user and protect the protected endpoints. So, the general flow is, user passes the below mentioned information to get access token from cognito via an API Gateway end point (/grantToken) :

1. App client id
2. App client secret
3. username
4. password

After obtaining the access_token, user passes this authorization token in the header while accessing the protected endpoints. Cognito automatically authorizes the user, and redirects the request to specific AWS Lambdas. This much is working fine.

What I want to know is, within the lambda, from the authorization token (passed in header) - how can I determine which user's token was passed? Is there any other way to determine the identity of the authorized user? Does AWS Cognito has any use in this case?

Note : If I can get App client id from the passed authorization token, it will serve my purpose.

3
amazon-web-servicesaws-lambdaauthorizationaws-api-gatewayamazon-cognito
If you are satisfied with my answer please accept it.Nikhil Kadam

3 Answers

1
votes

Answers to your questions:

1. how can I determine which user's token was passed?

Eg:

var jwt = require('jsonwebtoken'); // you can use import
var decoded = jwt.verify(token, secret);
console.log(decoded) // bar

2. Is there any other way to determine the identity of the authorized user?

  • you can use the access token to get user details from cognito using GetUser method.

Refer: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html

3. If I can get App client id from the passed authorization token, it will serve my purpose.

  • This is not possible to get app client id from authorization token.

  • Generally, client app ID that you received when you created the app in the your User Pools section of the AWS Management Console for aws Cognito.

  • The user pool access token contains claims about the authenticated user, but unlike the ID token, it does not include identity information. The primary purpose of the access token is to authorize API operations in the context of the user in the user pool.

Refer: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token

Right approach:

enter image description here

1
votes

You can use the GetUser API to exchange the access_token for user details which includes their username. Just update your lambda code to make this call.

1
votes

For Googlers:

If you want to access JWT claims in Lambda, after authorizer has done its job, find them under the event parameter, which is the first parameter passed to your Lambda.

This is true for HTTP API with JWT Authorizer (Cognito-backed), should also work in other situations.

The document is again confusing to indicate using $context, this is not required by HTTP API + Lambda + JWT Authorizer.