Nice work on all the new features! excited to make use of them.
However, the docs arent clear on API gateway integration with user pools. Now that I've created my cognito user pool authorizer, and attached it to my method request authorization settings, where exactly do the claims of that user go?
I am trying to pass the output of the authorizer to my lambda function. According to the docs we are looking for a principalId, however the authorizer does not output a principalId. The authorizer outputs this:
{
"sub": "cdad23f0-2ad6-4dc1-993d-bbb3f6f8c707",
"aud": "clm2h5m9uemul1rcfmbidiv1j",
"email_verified": "true",
"token_use": "id",
"auth_time": "1469814773",
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_4NUJPijFI",
"name": "Sarah Stumbo",
"exp": "Fri Jul 29 18:52:53 UTC 2016",
"iat": "Fri Jul 29 17:52:53 UTC 2016",
"email": "[email protected]"
}
How do i got the id (sub) to my lambda function once its authorized?
Below is our body mapping template:
## This template will pass through all parameters including path, querystring, header, stage variables, and context through to the integration endpoint via the body/payload
#set($allParams = $input.params())
{
"body" : $input.json('$'),
"params" : {
#foreach($type in $allParams.keySet())
#set($params = $allParams.get($type))
"$type" : {
#foreach($paramName in $params.keySet())
"$paramName" : "$util.escapeJavaScript($params.get($paramName))"
#if($foreach.hasNext),#end
#end
}
#if($foreach.hasNext),#end
#end
},
"stage" : {
#foreach($key in $stageVariables.keySet())
"$key" : "$util.escapeJavaScript($stageVariables.get($key))"
#if($foreach.hasNext),#end
#end
},
"context" : {
"account-id" : "$context.identity.accountId",
"api-id" : "$context.apiId",
"api-key" : "$context.identity.apiKey",
"authorizer-principal-id" : "$context.authorizer.principalId",
"caller" : "$context.identity.caller",
"cognito-authentication-provider" : "$context.identity.cognitoAuthenticationProvider",
"cognito-authentication-type" : "$context.identity.cognitoAuthenticationType",
"cognito-identity-id" : "$context.identity.cognitoIdentityId",
"cognito-identity-pool-id" : "$context.identity.cognitoIdentityPoolId",
"http-method" : "$context.httpMethod",
"stage" : "$context.stage",
"source-ip" : "$context.identity.sourceIp",
"user" : "$context.identity.user",
"user-agent" : "$context.identity.userAgent",
"user-arn" : "$context.identity.userArn",
"request-id" : "$context.requestId",
"resource-id" : "$context.resourceId",
"resource-path" : "$context.resourcePath"
}
}
Hello Sarah,
All the claims from the Cognito user pool authorizer can be found in the "claims" map in the context. So for example, if you want to extract the sub and email out, you would use something like this in your body mapping template -
{
"context" : {
"sub" : "$context.authorizer.claims.sub",
"email" : "$context.authorizer.claims.email"
}
}
Hope that helps.
Thanks!
Ritisha.
Thanks! that works :)
Hi @sarah-pixvana
I followed the document but get blank values:
{
"context": {
"sub": "",
"email": ""
}
}
Could you help?
Same here getting empty context
"{
"event": {
"operation": "create",
"body-json": {
"name": "asdsdsd",
"location": "United States"
},
"params": {
"path": {},
"querystring": {},
"header": {
"Accept": "application/json",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-us",
"CloudFront-Forwarded-Proto": "https",
"CloudFront-Is-Desktop-Viewer": "true",
"CloudFront-Is-Mobile-Viewer": "false",
"CloudFront-Is-SmartTV-Viewer": "false",
"CloudFront-Is-Tablet-Viewer": "false",
"CloudFront-Viewer-Country": "CR",
"content-type": "application/json",
"Host": "dddddddd.execute-api.us-west-2.amazonaws.com",
"User-Agent": "dddddd/1 CFNetwork/811.4.16 Darwin/16.7.0",
"Via": "2.0 d5b4c1c5364f13ccd0e091af5a1e742b.cloudfront.net (CloudFront)",
"X-Amz-Cf-Id": "GPCddddd-Gbvwkj2h9T1tQ==",
"X-AMZ-Date": "20ddd215343Z",
"x-amz-security-token": "AgoGb3JpZ2ddU=",
"X-Amzn-Trace-Id": "Root=1-59542567-46fce549097e50dd2f7cf888",
"x-api-key": "xxxxx",
"X-Forwarded-For": "186ddd2",
"X-Forwarded-Port": "443",
"X-Forwarded-Proto": "https"
}
},
"stage-variables": {},
"claims": {},
"context": {
"account-id": "xxxx",
"api-id": "xxxx",
"api-key": "xxxx",
"authorizer-principal-id": "",
"caller": "xxxx:CognitoIdentityCredentials",
"cognito-authentication-provider": "cognito-idp.us-west-2.amazonaws.com/us-west-2_SLC7ee3jy,cognito-idp.us-west-2.amazonaws.com/us-west-2_SLC7ee3jy:CognitoSignIn:xxxxx-deab-4fda-89ab-xxx",
"cognito-authentication-type": "authenticated",
"cognito-identity-id": "us-west-2:xxxxxx-cec7-4b35-8068-145f91431071",
"cognito-identity-pool-id": "us-west-2:xxxxx-329d-4fcb-ab70-6bfab5526a6b",
"http-method": "POST",
"stage": "develop",
"source-ip": "186xx8.46",
"user": "xxxx:CognitoIdentityCredentials",
"user-agent": "xxxx/1 CFNetwork/811.4.16 Darwin/16.7.0",
"user-arn": "arn:aws:sts::xxx:assumed-role/adminGroup/CognitoIdentityCredentials",
"request-id": "410cff12-5c4c-11e7-94eb-df3d505d79b9",
"resource-id": "xxxx",
"resource-path": "/xxx"
}
},
"context": {
"callbackWaitsForEmptyEventLoop": true,
"logGroupName": "/aws/lambda/xxxxxx",
"logStreamName": "2017/06/28/[$LATEST]75f0c06d33f24f7aabaeaf76dab95dce",
"functionName": "xxx",
"memoryLimitInMB": "128",
"functionVersion": "$LATEST",
"invokeid": "410f225f-5c4c-11e7-a9c2-xx",
"awsRequestId": "410f225f-5c4c-11e7-a9c2-xxx",
"invokedFunctionArn": "arn:aws:lambda:us-west-2:xxxxx:function:thermostatMgm"
}
}"
Most helpful comment
Hi @sarah-pixvana
I followed the document but get blank values:
Could you help?