AWS Cognito Group


In the docs its mentioned that Cognito IdentityToken has a cognito:groups in the payload which is

An array of the names of user pool groups that have your user as a member.

Now when I send my IdToken in headers to API gateway it returns gives a plain string instead of an array, take a look at the actual sample payload below:

authorizer: {
    claims: {
      sub: UUID',
      'cognito:groups': 'team_manager',
      iss: '',
      phone_number_verified: 'true',
      'cognito:username': 'UUID',
      origin_jti: 'jti',
      aud: 'aud',
      event_id: 'UUID',
      token_use: 'id',
      auth_time: '1680629979',
      phone_number: '+923xxxxxxx',
      exp: 'Tue Apr 04 18:39:39 UTC 2023',
      iat: 'Tue Apr 04 17:39:39 UTC 2023',
      jti: 'UUID',
      email: ''

I am a bit confused, how to go about this, I have gone through documentation multiple times to get some clue but no help.

1개 답변

Hi, can you example better which action are you performing with the API gateway? because it looks like the API gateway is modifying you header, the problem is not on Amazon Cognito side.

Please try to run the follwing command to get a fresh access token from Amazon Cognito.

Be aware that the user need to be in a verified state and the application associated to the cliet-id need to allow "USER_PASSWORD_AUTH" auth flow.

aws cognito-idp initiate-auth --region <REGION> --auth-flow USER_PASSWORD_AUTH --client-id <CLIENT-ID> --auth-parameters USERNAME=<USERNAME>,PASSWORD=<PASSWORD>

From the previous command you will get back an answer similar to the following:

    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "eyJjdHki.....UMmI5ijEqfNLjLhi

If you take the access token and decrypt it (using for instance) you will see the following payload with the array of cognito groups associated to the user

  "sub": "d2.....5",
  "cognito:groups": [
    "your group name"
  "iss": "",
  "client_id": "677a.......vp",
  "origin_jti": "05........f8cd",
  "event_id": "1...........9e",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1680652029,
  "exp": 1680655629,
  "iat": 1680652029,
  "jti": "62........b9",
  "username": "d..........15"


When you the ID token is passing thought the API Gateway Authenticator the format of the claim is modified and the groups associated to the user are concatenated on comma separated values (example below).

The example is referring to a console log of the input data of a Lambda function connected to an API Gateway authenticated with with a Cognito Pool. The Cognito groups can be found in the "requestContext" like in the example below.

"requestContext": {
        "resourceId": "7z......",
        "authorizer": {
            "claims": {
                "sub": "d22b7......615",
                "cognito:groups": "Group1,Group2",
                "email_verified": "true",
                "iss": "",
                "cognito:username": "d22b7a28......0354a615",
                "origin_jti": "b72d9......4eca84209",
                "aud": "677ak......kvp",
                "event_id": "bc829a4......61",
                "token_use": "id",
                "auth_time": "168......52",
                "exp": "Wed Apr 05 18:05:52 UTC 2023",
                "iat": "Wed Apr 05 17:05:52 UTC 2023",
                "jti": "420158e6......6b9577e",
                "email": ""

Moreover the original idToken can also be found in the header list.

답변함 일 년 전
  • Thanks for your response, the token is correctly decoded as i ran it through Now what could be the possible issue? I am using API Gateway authorizer and this is how it is configured can you point out any potential mistakes

    ApiGatewayAuthorizer: { Type: 'AWS::ApiGateway::Authorizer', Properties: { AuthorizerResultTtlInSeconds: 300, IdentitySource: 'method.request.header.Authorization', Name: 'Cognito', RestApiId: { Ref: 'ApiGatewayRestApi', }, Type: 'COGNITO_USER_POOLS', ProviderARNs: ['arn:aws:cognito-idp:us-west-2:accountId:userpool/us-west-2_xxxxxx'], }, },

  • let me update my original answer to address also this point

  • I have updated my answer, if this information helped you please consider to accept my response :)

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠