By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS Cognito Group

0

In the docs its mentioned that Cognito IdentityToken has a cognito:groups in the payload which is

An array of the names of user pool groups that have your user as a member.

Now when I send my IdToken in headers to API gateway it returns gives a plain string instead of an array, take a look at the actual sample payload below:

authorizer: {
    claims: {
      sub: UUID',
      'cognito:groups': 'team_manager',
      iss: 'https://cognito-idp.us-west-2.amazonaws.com/us-west-2_ID',
      phone_number_verified: 'true',
      'cognito:username': 'UUID',
      origin_jti: 'jti',
      aud: 'aud',
      event_id: 'UUID',
      token_use: 'id',
      auth_time: '1680629979',
      phone_number: '+923xxxxxxx',
      exp: 'Tue Apr 04 18:39:39 UTC 2023',
      iat: 'Tue Apr 04 17:39:39 UTC 2023',
      jti: 'UUID',
      email: 'noraiz@soememail.net'
    }
  },

I am a bit confused, how to go about this, I have gone through documentation multiple times to get some clue but no help.

Topics
ServerlessComputeFront-End Web & MobileNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
ServerlessAWS LambdaAmazon API GatewayAmazon Cognito
Language
English
noraiz
asked 2 years ago649 views
1 Answer
1

Hi, can you example better which action are you performing with the API gateway? because it looks like the API gateway is modifying you header, the problem is not on Amazon Cognito side.

Please try to run the follwing command to get a fresh access token from Amazon Cognito.

Be aware that the user need to be in a verified state and the application associated to the cliet-id need to allow "USER_PASSWORD_AUTH" auth flow.

aws cognito-idp initiate-auth --region <REGION> --auth-flow USER_PASSWORD_AUTH --client-id <CLIENT-ID> --auth-parameters USERNAME=<USERNAME>,PASSWORD=<PASSWORD>

From the previous command you will get back an answer similar to the following:

{
    "ChallengeParameters": {},
    "AuthenticationResult": {
        "AccessToken": "eyJraWQiOiJNdWx6K1pu.....rw",
        "ExpiresIn": 3600,
        "TokenType": "Bearer",
        "RefreshToken": "eyJjdHki.....UMmI5ijEqfNLjLhi
     }
}

If you take the access token and decrypt it (using https://jwt.io/ for instance) you will see the following payload with the array of cognito groups associated to the user

{
  "sub": "d2.....5",
  "cognito:groups": [
    "your group name"
  ],
  "iss": "https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_.......i",
  "client_id": "677a.......vp",
  "origin_jti": "05........f8cd",
  "event_id": "1...........9e",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1680652029,
  "exp": 1680655629,
  "iat": 1680652029,
  "jti": "62........b9",
  "username": "d..........15"
}

UPDATE

When you the ID token is passing thought the API Gateway Authenticator the format of the claim is modified and the groups associated to the user are concatenated on comma separated values (example below).

The example is referring to a console log of the input data of a Lambda function connected to an API Gateway authenticated with with a Cognito Pool. The Cognito groups can be found in the "requestContext" like in the example below.

"requestContext": {
        "resourceId": "7z......",
        "authorizer": {
            "claims": {
                "sub": "d22b7......615",
                "cognito:groups": "Group1,Group2",
                "email_verified": "true",
                "iss": "https://cognito-idp.eu-central-1.amazonaws.com/eu-ce......Ri",
                "cognito:username": "d22b7a28......0354a615",
                "origin_jti": "b72d9......4eca84209",
                "aud": "677ak......kvp",
                "event_id": "bc829a4......61",
                "token_use": "id",
                "auth_time": "168......52",
                "exp": "Wed Apr 05 18:05:52 UTC 2023",
                "iat": "Wed Apr 05 17:05:52 UTC 2023",
                "jti": "420158e6......6b9577e",
                "email": "sim......@......on.it"
            }
        },

Moreover the original idToken can also be found in the header list.

AWS
Simone Tallevi
answered 2 years ago
  • noraiz
    2 years ago

    Thanks for your response, the token is correctly decoded as i ran it through jwt.io. Now what could be the possible issue? I am using API Gateway authorizer and this is how it is configured can you point out any potential mistakes

    ApiGatewayAuthorizer: { Type: 'AWS::ApiGateway::Authorizer', Properties: { AuthorizerResultTtlInSeconds: 300, IdentitySource: 'method.request.header.Authorization', Name: 'Cognito', RestApiId: { Ref: 'ApiGatewayRestApi', }, Type: 'COGNITO_USER_POOLS', ProviderARNs: ['arn:aws:cognito-idp:us-west-2:accountId:userpool/us-west-2_xxxxxx'], }, },

  • noraiz
    2 years ago

    there is a similar question on stackoverflow still unanswered https://stackoverflow.com/questions/74180027/why-does-aws-api-gateway-cognito-authroizer-change-the-jwt-payload-in-extracted

  • Simone Tallevi
    2 years ago

    let me update my original answer to address also this point

  • Simone Tallevi
    2 years ago

    I have updated my answer, if this information helped you please consider to accept my response :)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content