By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Use Cognito access token or id token to do request to secure API endpoints?

0

Hi!

Right now my frontend is storing the cognito generated access token to do request to my API endpoints and is working good. The thing is that I customized an attribute in Cognito containing the userId and that custom attribute is in the id token. I need that attribute to get the user data from some internal DB flows. Since the id token contains sensible data, should I use the id token to do request agains my API or continue using the access token? I need to get the userId from the token and I saw that I can create a Lambda pre authorization trigger to clean the id token and modify the attributes.

Is this a good approach? Or should I continue using the access token, get from that token the username and then with that username internally get the user id for some flows?

Thanks!

Topics
ServerlessComputeSecurity, Identity, & ComplianceAWS Well-Architected Framework
Tags
AWS LambdaSecurity, Identity, & ComplianceAmazon CognitoSecurity
Language
English
cao95
asked 3 months ago323 views
2 Answers
2
Accepted Answer

For starters, you should definitely stick to using the access token for you're authorization needs against the API gateway. This is a best practice. The good news is you can now customize the access token using a Pre token generation Lambda trigger. This would allow you to add the necessary information to the access token. This feature is available with Cognito's advanced security features.

Otherwise, you could explore creating a backend mapping (ex: using DynamoDB) between the userId attribute (what you're ultimately needing) and the SUB of the user, which is present in the access token. Maintain the userId as the immutable identifier for the user for your solution and have an additional backend lookup to obtain the userId.

profile pictureAWS
iamAbrom
answered 3 months ago
profile picture
EXPERT
Gary Mclean
reviewed a month ago
  • cao95
    3 months ago

    I see! Thank you man!

0

The ID token is meant for authentication. It contains claims about the identity of the authenticated user, such as user ID, username, and any custom attributes. The access token is meant for authorization. It grants the client application access to specific resources on behalf of the user. It is used to make requests to protected resources, such as API endpoints.

profile picture
Jagan
answered 3 months ago
  • cao95
    3 months ago

    I see!

    Thank you man!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content