Access user info from lambda












0















I'm working on a serverless app with aws.



I use AWS Cognito User Pool to manage user : register, login, logout.
Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).



All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.



So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.










share|improve this question



























    0















    I'm working on a serverless app with aws.



    I use AWS Cognito User Pool to manage user : register, login, logout.
    Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).



    All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.



    So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.










    share|improve this question

























      0












      0








      0








      I'm working on a serverless app with aws.



      I use AWS Cognito User Pool to manage user : register, login, logout.
      Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).



      All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.



      So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.










      share|improve this question














      I'm working on a serverless app with aws.



      I use AWS Cognito User Pool to manage user : register, login, logout.
      Once those users have been confirmed, I use AWS Cognito Identity Pool to get temporary credentials. Then I use those credentials to access the api (the endpoint on my api require AWS_IAM for Auth and call lambda).



      All of that work perfectly. But I need to know which user has requested the action. In the lambda I can get the IdentityId from my Identity Pool. But I need to get attributes from my user in User Pool.



      So my question is : is there a way to get a user from User Pool using the IdentityId of the Identity attached to it ? Or at least, get the access token ? I know I can send the access token in headers but I would like to only depend on the AWS_IAM auth.







      aws-lambda aws-api-gateway amazon-cognito






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 15 '18 at 15:31









      AnneAnne

      272




      272
























          1 Answer
          1






          active

          oldest

          votes


















          0














          Getting from a federated identity_id back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).




          1. Given an IdentityId you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore the logins part of the request if you are just using UserPools).


          2. You can then use this token against the userpools:GetUser end point.



          There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username returned with userpools:AdminGetUser to get the full user profile.






          share|improve this answer


























          • But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool

            – Anne
            Nov 16 '18 at 10:49











          • Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id

            – thomasmichaelwallace
            Nov 16 '18 at 11:39











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322757%2faccess-user-info-from-lambda%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          Getting from a federated identity_id back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).




          1. Given an IdentityId you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore the logins part of the request if you are just using UserPools).


          2. You can then use this token against the userpools:GetUser end point.



          There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username returned with userpools:AdminGetUser to get the full user profile.






          share|improve this answer


























          • But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool

            – Anne
            Nov 16 '18 at 10:49











          • Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id

            – thomasmichaelwallace
            Nov 16 '18 at 11:39
















          0














          Getting from a federated identity_id back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).




          1. Given an IdentityId you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore the logins part of the request if you are just using UserPools).


          2. You can then use this token against the userpools:GetUser end point.



          There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username returned with userpools:AdminGetUser to get the full user profile.






          share|improve this answer


























          • But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool

            – Anne
            Nov 16 '18 at 10:49











          • Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id

            – thomasmichaelwallace
            Nov 16 '18 at 11:39














          0












          0








          0







          Getting from a federated identity_id back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).




          1. Given an IdentityId you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore the logins part of the request if you are just using UserPools).


          2. You can then use this token against the userpools:GetUser end point.



          There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username returned with userpools:AdminGetUser to get the full user profile.






          share|improve this answer















          Getting from a federated identity_id back to the user pool user is tricky because there's no guarantee it is a user pool user (it could well be someone from Facebook, or even an unauthenticated user- depending on your configuration).




          1. Given an IdentityId you can use identity:GetOpenIdToken to get a valid OpenId token (you can ignore the logins part of the request if you are just using UserPools).


          2. You can then use this token against the userpools:GetUser end point.



          There's a few pitfalls here, like ensuring you authenticate with a scope that allows you to see all the attributes you care about. If you haven't, then you'll need to use the username returned with userpools:AdminGetUser to get the full user profile.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 16 '18 at 11:38

























          answered Nov 16 '18 at 9:36









          thomasmichaelwallacethomasmichaelwallace

          2,5751917




          2,5751917













          • But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool

            – Anne
            Nov 16 '18 at 10:49











          • Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id

            – thomasmichaelwallace
            Nov 16 '18 at 11:39



















          • But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool

            – Anne
            Nov 16 '18 at 10:49











          • Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id

            – thomasmichaelwallace
            Nov 16 '18 at 11:39

















          But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool

          – Anne
          Nov 16 '18 at 10:49





          But sub attribute of a user in User Pool is not equal to identity_id of the identity in Identity Pool

          – Anne
          Nov 16 '18 at 10:49













          Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id

          – thomasmichaelwallace
          Nov 16 '18 at 11:39





          Sorry- I had misunderstood and thought you had an idToken- I've updated my answer for the approach you'd take with identity_id

          – thomasmichaelwallace
          Nov 16 '18 at 11:39


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53322757%2faccess-user-info-from-lambda%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          這個網誌中的熱門文章

          Xamarin.form Move up view when keyboard appear

          Post-Redirect-Get with Spring WebFlux and Thymeleaf

          Anylogic : not able to use stopDelay()