Access user info from lambda
I'm working on a serverless app with aws.
I use AWS Cognito User Pool to manage user : register, login, logout.
Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).
All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.
So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.
aws-lambda aws-api-gateway amazon-cognito
add a comment |
I'm working on a serverless app with aws.
I use AWS Cognito User Pool to manage user : register, login, logout.
Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).
All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.
So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.
aws-lambda aws-api-gateway amazon-cognito
add a comment |
I'm working on a serverless app with aws.
I use AWS Cognito User Pool to manage user : register, login, logout.
Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).
All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.
So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.
aws-lambda aws-api-gateway amazon-cognito
I'm working on a serverless app with aws.
I use AWS Cognito User Pool to manage user : register, login, logout.
Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).
All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.
So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.
aws-lambda aws-api-gateway amazon-cognito
aws-lambda aws-api-gateway amazon-cognito
asked Nov 15 '18 at 15:31
AnneAnne
272
272
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Getting from a federated identity_id
back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).
Given an
IdentityId
you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore thelogins
part of the request if you are just using UserPools).You can then use this token against the userpools:GetUser end point.
There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username
returned with userpools:AdminGetUser to get the full user profile.
But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool
– Anne
Nov 16 '18 at 10:49
Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id
– thomasmichaelwallace
Nov 16 '18 at 11:39
add a comment |
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322757%2faccess-user-info-from-lambda%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Getting from a federated identity_id
back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).
Given an
IdentityId
you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore thelogins
part of the request if you are just using UserPools).You can then use this token against the userpools:GetUser end point.
There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username
returned with userpools:AdminGetUser to get the full user profile.
But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool
– Anne
Nov 16 '18 at 10:49
Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id
– thomasmichaelwallace
Nov 16 '18 at 11:39
add a comment |
Getting from a federated identity_id
back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).
Given an
IdentityId
you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore thelogins
part of the request if you are just using UserPools).You can then use this token against the userpools:GetUser end point.
There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username
returned with userpools:AdminGetUser to get the full user profile.
But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool
– Anne
Nov 16 '18 at 10:49
Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id
– thomasmichaelwallace
Nov 16 '18 at 11:39
add a comment |
Getting from a federated identity_id
back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).
Given an
IdentityId
you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore thelogins
part of the request if you are just using UserPools).You can then use this token against the userpools:GetUser end point.
There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username
returned with userpools:AdminGetUser to get the full user profile.
Getting from a federated identity_id
back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).
Given an
IdentityId
you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore thelogins
part of the request if you are just using UserPools).You can then use this token against the userpools:GetUser end point.
There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username
returned with userpools:AdminGetUser to get the full user profile.
edited Nov 16 '18 at 11:38
answered Nov 16 '18 at 9:36
thomasmichaelwallacethomasmichaelwallace
2,8001919
2,8001919
But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool
– Anne
Nov 16 '18 at 10:49
Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id
– thomasmichaelwallace
Nov 16 '18 at 11:39
add a comment |
But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool
– Anne
Nov 16 '18 at 10:49
Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id
– thomasmichaelwallace
Nov 16 '18 at 11:39
But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool
– Anne
Nov 16 '18 at 10:49
But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool
– Anne
Nov 16 '18 at 10:49
Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id
– thomasmichaelwallace
Nov 16 '18 at 11:39
Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id
– thomasmichaelwallace
Nov 16 '18 at 11:39
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322757%2faccess-user-info-from-lambda%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown