Hi everyone I am using cognito to do authentication Is there Serverless Stack #sst

Hi everyone, I am using cognito to do authenticati...

Muhammad Ali

10/15/2021, 6:52 PM

Hi everyone, I am using cognito to do authentication. Is there a way to get cognito token attributes in a lambda of rest-api? I need to get userId in lambda and custom attributes that i am injecting in

preTokenGeneration

trigger

Ashishkumar Pandey

10/15/2021, 6:56 PM

I’m assuming you’re using JS/TS and so in that case you’ll have to decode the jwt token using the

jsonwebtoken

package. You can skip verifying the token and just use plain decode as all authentication-only lambdas will be only triggered by the API Gateway post token verification.

Michael Clifford

10/15/2021, 6:57 PM

If you are talking about the lambda that is firing post-auth, you can get them directly from the JWT claims

Ashishkumar Pandey

10/15/2021, 6:57 PM

This is if you’re using JWT tokens, I haven’t used Cognito with IAM or ID tokens.

Ashishkumar Pandey

10/15/2021, 6:59 PM

@Michael Clifford I think he wants to access custom claims in the last executing lambda.

Muhammad Ali

10/15/2021, 7:30 PM

decoding is not the problem. the problem is availability of that token. Let me put more details. I have

lambdaX

which is accessible by

mywebsite/path_to/lambdaX

rest api which requires authentication. The authentication is done by cognito and as part of authentication, I am injecting custom attributes via

preTokenGeneration

. Once done,

lambdaX

gets triggered and as per

sst

document, the only parameter it has is

event

. I don't see any

customAttributes

. I see there is an object

event.requestContext.authorizer {iam:[object]}

but not sure if this is the one to get those attributes from.

Ashishkumar Pandey

10/15/2021, 7:31 PM

what’s the

authorizationType

Muhammad Ali

10/15/2021, 7:33 PM

defaultAuthorizationType: sst.ApiAuthorizationType.AWS_IAM,

Ashishkumar Pandey

10/15/2021, 7:35 PM

okay. In that case you can’t use the technique I mentioned earlier. Try JSON.stringify on the event, I believe Cognito would definitely forward custom attributes to your lambda function as a part of the event.

Ashishkumar Pandey

10/15/2021, 7:37 PM

From what I could find this is the path to access cognito claims in case of IAM auth -

event.requestContext.authorizer.claims

. All your claims including custom claims will be included here.

Muhammad Ali

10/15/2021, 7:42 PM

Tehre is no claim object in case of

AWS_IAM

auth. here is what event looks like

Copy code

{
  version: '2.0',
  routeKey: 'GET /lambdaX',
  rawPath: '/lambdaX',
  rawQueryString: '',
  headers: {
    accept: 'application/json',
    authorization: 'AWS4-HMAC-SHA256 Credential=xxxxxxxxxxxxxxxx/20211015/us-east-1/execute-api/aws4_request, SignedHeaders=accept;host;x-amz-date, Signature=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
    'content-length': '0',
    'content-type': 'application/json',
    host: '<http://apihost.execute-api.us-east-1.amazonaws.com|apihost.execute-api.us-east-1.amazonaws.com>',
    'user-agent': 'axios/0.18.1',
    'x-amz-date': '20211015T193105Z',
    'x-amz-security-token': 'xxxxxxxxxxxxxxxx//////////xxxxxxxxxxxxxxxxxxx/xxxxx+xxxxxxxxxxxxx+xxx/xxxx/xxxxx+xxxx+xx+xxxx/xxx+xxxxx+xxxxxx/xxx/xxxx/xxxx/xxxx/xxxxxx+xxxxx/xxxx+xxxx+xxxxxx+xxxxx+xxxxx/xx/xx/xxxxxxx/xxxx/xxxxx+xxxxxx/xxxxx/xxxxx/xxxxx+xxxxxx+xxxxxxx/xxxxxx/xxxxxx+xxxxxxxx+xxxxxxx+xxxxxxx',
    'x-amzn-trace-id': 'Root=1-xxxx-xxxxxxx',
    'x-forwarded-for': 'xx.xxx.x.xxx',
    'x-forwarded-port': '443',
    'x-forwarded-proto': 'https'
  },
  requestContext: {
    accountId: 'xxxxxxx',
    apiId: 'apihost',
    authorizer: { iam: [Object] },
    domainName: '<http://apihost.execute-api.us-east-1.amazonaws.com|apihost.execute-api.us-east-1.amazonaws.com>',
    domainPrefix: 'apihost',
    http: {
      method: 'GET',
      path: '/lambdaX',
      protocol: 'HTTP/1.1',
      sourceIp: 'xx.xxx.x.xxx',
      userAgent: 'axios/0.18.1'
    },
    requestId: 'xxxxx=',
    routeKey: 'GET /lambdaX',
    stage: '$default',
    time: '15/Oct/2021:19:31:05 +0000',
    timeEpoch: 1634326265776
  },
  isBase64Encoded: false
}

Muhammad Ali

10/15/2021, 7:43 PM

The

event.requestContext.authorizer

only has

iam

object. which doesn't have any relevant information.

Ashishkumar Pandey

10/15/2021, 8:18 PM

What’s the output for

event.requestContext.authorizer.iam.cognitoIdentity.identityId

Muhammad Ali

10/16/2021, 3:18 AM

here is the output for

event.requestContext.authorizer["iam"]

Copy code

{
  accessKey: 'XXXXXXXXX',
  accountId: 'XXXXXXXX',
  callerId: 'XXXXXXXXXXXX:CognitoIdentityCredentials',
  cognitoIdentity: {
    amr: [
      'authenticated',
      '<http://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx|cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx>',
      '<http://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx:CognitoSignIn:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx|cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxx:CognitoSignIn:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx>'
    ],
    identityId: 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx',
    identityPoolId: 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx'
  },
  principalOrgId: null,
  userArn: 'arn:aws:sts::xxxxxxxxxxxx:assumed-role/dev-rest-api-my-stack-AuthIdentityPoolAuthRoleD14D-xxxxxxxx/CognitoIdentityCredentials',
  userId: 'XXXXXXXXXXXX:CognitoIdentityCredentials'
}

Open in Slack

Previous Next