Amazon-cognito-identity-js: More details on API gateway integration

Created on 29 Jul 2016  路  4Comments  路  Source: amazon-archives/amazon-cognito-identity-js

Nice work on all the new features! excited to make use of them.

However, the docs arent clear on API gateway integration with user pools. Now that I've created my cognito user pool authorizer, and attached it to my method request authorization settings, where exactly do the claims of that user go?

I am trying to pass the output of the authorizer to my lambda function. According to the docs we are looking for a principalId, however the authorizer does not output a principalId. The authorizer outputs this:

{
 "sub": "cdad23f0-2ad6-4dc1-993d-bbb3f6f8c707",
 "aud": "clm2h5m9uemul1rcfmbidiv1j",
 "email_verified": "true",
 "token_use": "id",
 "auth_time": "1469814773",
 "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_4NUJPijFI",
 "name": "Sarah Stumbo",
 "exp": "Fri Jul 29 18:52:53 UTC 2016",
 "iat": "Fri Jul 29 17:52:53 UTC 2016",
 "email": "[email protected]"
}

How do i got the id (sub) to my lambda function once its authorized?

Below is our body mapping template:

##  This template will pass through all parameters including path, querystring, header, stage variables, and context through to the integration endpoint via the body/payload
#set($allParams = $input.params())
{
"body" : $input.json('$'),
"params" : {
#foreach($type in $allParams.keySet())
   #set($params = $allParams.get($type))
"$type" : {
   #foreach($paramName in $params.keySet())
   "$paramName" : "$util.escapeJavaScript($params.get($paramName))"
       #if($foreach.hasNext),#end
   #end
}
   #if($foreach.hasNext),#end
#end
},
"stage" : {
#foreach($key in $stageVariables.keySet())
"$key" : "$util.escapeJavaScript($stageVariables.get($key))"
   #if($foreach.hasNext),#end
#end
},
"context" : {
   "account-id" : "$context.identity.accountId",
   "api-id" : "$context.apiId",
   "api-key" : "$context.identity.apiKey",
   "authorizer-principal-id" : "$context.authorizer.principalId",
   "caller" : "$context.identity.caller",
   "cognito-authentication-provider" : "$context.identity.cognitoAuthenticationProvider",
   "cognito-authentication-type" : "$context.identity.cognitoAuthenticationType",
   "cognito-identity-id" : "$context.identity.cognitoIdentityId",
   "cognito-identity-pool-id" : "$context.identity.cognitoIdentityPoolId",
   "http-method" : "$context.httpMethod",
   "stage" : "$context.stage",
   "source-ip" : "$context.identity.sourceIp",
   "user" : "$context.identity.user",
   "user-agent" : "$context.identity.userAgent",
   "user-arn" : "$context.identity.userArn",
   "request-id" : "$context.requestId",
   "resource-id" : "$context.resourceId",
   "resource-path" : "$context.resourcePath"
   }
}

Most helpful comment

Hi @sarah-pixvana
I followed the document but get blank values:

{
  "context": {
    "sub": "",
    "email": ""
  }
}

Could you help?

All 4 comments

Hello Sarah,

All the claims from the Cognito user pool authorizer can be found in the "claims" map in the context. So for example, if you want to extract the sub and email out, you would use something like this in your body mapping template -

{
"context" : {
    "sub" : "$context.authorizer.claims.sub",
    "email" : "$context.authorizer.claims.email"
    }
}

Hope that helps.

Thanks!
Ritisha.

Thanks! that works :)

Hi @sarah-pixvana
I followed the document but get blank values:

{
  "context": {
    "sub": "",
    "email": ""
  }
}

Could you help?

Same here getting empty context

"{
  "event": {
    "operation": "create",
    "body-json": {
      "name": "asdsdsd",
      "location": "United States"
    },
    "params": {
      "path": {},
      "querystring": {},
      "header": {
        "Accept": "application/json",
        "Accept-Encoding": "gzip, deflate",
        "Accept-Language": "en-us",
        "CloudFront-Forwarded-Proto": "https",
        "CloudFront-Is-Desktop-Viewer": "true",
        "CloudFront-Is-Mobile-Viewer": "false",
        "CloudFront-Is-SmartTV-Viewer": "false",
        "CloudFront-Is-Tablet-Viewer": "false",
        "CloudFront-Viewer-Country": "CR",
        "content-type": "application/json",
        "Host": "dddddddd.execute-api.us-west-2.amazonaws.com",
        "User-Agent": "dddddd/1 CFNetwork/811.4.16 Darwin/16.7.0",
        "Via": "2.0 d5b4c1c5364f13ccd0e091af5a1e742b.cloudfront.net (CloudFront)",
        "X-Amz-Cf-Id": "GPCddddd-Gbvwkj2h9T1tQ==",
        "X-AMZ-Date": "20ddd215343Z",
        "x-amz-security-token": "AgoGb3JpZ2ddU=",
        "X-Amzn-Trace-Id": "Root=1-59542567-46fce549097e50dd2f7cf888",
        "x-api-key": "xxxxx",
        "X-Forwarded-For": "186ddd2",
        "X-Forwarded-Port": "443",
        "X-Forwarded-Proto": "https"
      }
    },
    "stage-variables": {},
    "claims": {},
    "context": {
      "account-id": "xxxx",
      "api-id": "xxxx",
      "api-key": "xxxx",
      "authorizer-principal-id": "",
      "caller": "xxxx:CognitoIdentityCredentials",
      "cognito-authentication-provider": "cognito-idp.us-west-2.amazonaws.com/us-west-2_SLC7ee3jy,cognito-idp.us-west-2.amazonaws.com/us-west-2_SLC7ee3jy:CognitoSignIn:xxxxx-deab-4fda-89ab-xxx",
      "cognito-authentication-type": "authenticated",
      "cognito-identity-id": "us-west-2:xxxxxx-cec7-4b35-8068-145f91431071",
      "cognito-identity-pool-id": "us-west-2:xxxxx-329d-4fcb-ab70-6bfab5526a6b",
      "http-method": "POST",
      "stage": "develop",
      "source-ip": "186xx8.46",
      "user": "xxxx:CognitoIdentityCredentials",
      "user-agent": "xxxx/1 CFNetwork/811.4.16 Darwin/16.7.0",
      "user-arn": "arn:aws:sts::xxx:assumed-role/adminGroup/CognitoIdentityCredentials",
      "request-id": "410cff12-5c4c-11e7-94eb-df3d505d79b9",
      "resource-id": "xxxx",
      "resource-path": "/xxx"
    }
  },
  "context": {
    "callbackWaitsForEmptyEventLoop": true,
    "logGroupName": "/aws/lambda/xxxxxx",
    "logStreamName": "2017/06/28/[$LATEST]75f0c06d33f24f7aabaeaf76dab95dce",
    "functionName": "xxx",
    "memoryLimitInMB": "128",
    "functionVersion": "$LATEST",
    "invokeid": "410f225f-5c4c-11e7-a9c2-xx",
    "awsRequestId": "410f225f-5c4c-11e7-a9c2-xxx",
    "invokedFunctionArn": "arn:aws:lambda:us-west-2:xxxxx:function:thermostatMgm"
  }
}"
Was this page helpful?
0 / 5 - 0 ratings

Related issues

johnf picture johnf  路  3Comments

kaihendry picture kaihendry  路  4Comments

JakubMatejka picture JakubMatejka  路  4Comments

carlnordenfelt picture carlnordenfelt  路  5Comments

kpitzen picture kpitzen  路  3Comments