https://serverless-stack.com/ logo
#sst
Title
# sst
m

Muhammad Ali

10/15/2021, 6:52 PM
Hi everyone, I am using cognito to do authentication. Is there a way to get cognito token attributes in a lambda of rest-api? I need to get userId in lambda and custom attributes that i am injecting in
preTokenGeneration
trigger
a

Ashishkumar Pandey

10/15/2021, 6:56 PM
I’m assuming you’re using JS/TS and so in that case you’ll have to decode the jwt token using the
jsonwebtoken
package. You can skip verifying the token and just use plain decode as all authentication-only lambdas will be only triggered by the API Gateway post token verification.
m

Michael Clifford

10/15/2021, 6:57 PM
If you are talking about the lambda that is firing post-auth, you can get them directly from the JWT claims
a

Ashishkumar Pandey

10/15/2021, 6:57 PM
This is if you’re using JWT tokens, I haven’t used Cognito with IAM or ID tokens.
@Michael Clifford I think he wants to access custom claims in the last executing lambda.
m

Muhammad Ali

10/15/2021, 7:30 PM
decoding is not the problem. the problem is availability of that token. Let me put more details. I have
lambdaX
which is accessible by
mywebsite/path_to/lambdaX
rest api which requires authentication. The authentication is done by cognito and as part of authentication, I am injecting custom attributes via
preTokenGeneration
. Once done,
lambdaX
gets triggered and as per
sst
document, the only parameter it has is
event
. I don't see any
customAttributes
. I see there is an object
event.requestContext.authorizer {iam:[object]}
but not sure if this is the one to get those attributes from.
a

Ashishkumar Pandey

10/15/2021, 7:31 PM
what’s the
authorizationType
?
m

Muhammad Ali

10/15/2021, 7:33 PM
defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM,
a

Ashishkumar Pandey

10/15/2021, 7:35 PM
okay. In that case you can’t use the technique I mentioned earlier. Try JSON.stringify on the event, I believe Cognito would definitely forward custom attributes to your lambda function as a part of the event.
From what I could find this is the path to access cognito claims in case of IAM auth -
event.requestContext.authorizer.claims
. All your claims including custom claims will be included here.
m

Muhammad Ali

10/15/2021, 7:42 PM
Tehre is no claim object in case of
AWS_IAM
auth. here is what event looks like
Copy code
{
  version: '2.0',
  routeKey: 'GET /lambdaX',
  rawPath: '/lambdaX',
  rawQueryString: '',
  headers: {
    accept: 'application/json',
    authorization: 'AWS4-HMAC-SHA256 Credential=xxxxxxxxxxxxxxxx/20211015/us-east-1/execute-api/aws4_request, SignedHeaders=accept;host;x-amz-date, Signature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
    'content-length': '0',
    'content-type': 'application/json',
    host: '<http://apihost.execute-api.us-east-1.amazonaws.com|apihost.execute-api.us-east-1.amazonaws.com>',
    'user-agent': 'axios/0.18.1',
    'x-amz-date': '20211015T193105Z',
    'x-amz-security-token': 'xxxxxxxxxxxxxxxx//////////xxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxx+xxx/xxxx/xxxxx+xxxx+xx+xxxx/xxx+xxxxx+xxxxxx/xxx/xxxx/xxxx/xxxx/xxxxxx+xxxxx/xxxx+xxxx+xxxxxx+xxxxx+xxxxx/xx/xx/xxxxxxx/xxxx/xxxxx+xxxxxx/xxxxx/xxxxx/xxxxx+xxxxxx+xxxxxxx/xxxxxx/xxxxxx+xxxxxxxx+xxxxxxx+xxxxxxx',
    'x-amzn-trace-id': 'Root=1-xxxx-xxxxxxx',
    'x-forwarded-for': 'xx.xxx.x.xxx',
    'x-forwarded-port': '443',
    'x-forwarded-proto': 'https'
  },
  requestContext: {
    accountId: 'xxxxxxx',
    apiId: 'apihost',
    authorizer: { iam: [Object] },
    domainName: '<http://apihost.execute-api.us-east-1.amazonaws.com|apihost.execute-api.us-east-1.amazonaws.com>',
    domainPrefix: 'apihost',
    http: {
      method: 'GET',
      path: '/lambdaX',
      protocol: 'HTTP/1.1',
      sourceIp: 'xx.xxx.x.xxx',
      userAgent: 'axios/0.18.1'
    },
    requestId: 'xxxxx=',
    routeKey: 'GET /lambdaX',
    stage: '$default',
    time: '15/Oct/2021:19:31:05 +0000',
    timeEpoch: 1634326265776
  },
  isBase64Encoded: false
}
The
event.requestContext.authorizer
only has
iam
object. which doesn't have any relevant information.
a

Ashishkumar Pandey

10/15/2021, 8:18 PM
What’s the output for
event.requestContext.authorizer.iam.cognitoIdentity.identityId
?
m

Muhammad Ali

10/16/2021, 3:18 AM
here is the output for
event.requestContext.authorizer["iam"]
Copy code
{
  accessKey: 'XXXXXXXXX',
  accountId: 'XXXXXXXX',
  callerId: 'XXXXXXXXXXXX:CognitoIdentityCredentials',
  cognitoIdentity: {
    amr: [
      'authenticated',
      '<http://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx|cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx>',
      '<http://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx:CognitoSignIn:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx|cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx:CognitoSignIn:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx>'
    ],
    identityId: 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx',
    identityPoolId: 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
  },
  principalOrgId: null,
  userArn: 'arn:aws:sts::xxxxxxxxxxxx:assumed-role/dev-rest-api-my-stack-AuthIdentityPoolAuthRoleD14D-xxxxxxxx/CognitoIdentityCredentials',
  userId: 'XXXXXXXXXXXX:CognitoIdentityCredentials'
}