Aws Cognito/Getting User Information from the Sub

How do I look up a cognito user by their sub/UUID?

As of today this is not possible with Cognito User Pools.

Users can only be looked up using their username or aliases. ListUsers API also allows users to be searched by providing search filters on some standard attributes but sub is not one of them.

AWS Cognito / Getting user information from the sub

You would use the ListUsers API, indeed.

Here is its documentation for AWS iOS SDK. One of the filters you can apply is for "sub".

The user calling ListUsers must have a role assigned that will grant it access to that API. Have a look at this AWS blog post for an example in JS.

However, you can't allow everyone to list all users in the pool, that would be a huge security hole. Permissions to list all users should be reserved to application administrators, and only if needed. Instead, what you can do is set up a Lambda function on AWS, called through API Gateway. The function would take the sdb as input and would return the email address. The role attached to that function would give it access to call ListUsers for your pool. That would limit the amount of information your users can get about others, but your Lambda should still run checks to make sure it's not abused. For example, if user X wants to get the email address of user Y, user Y should approve that in advance.

I don't know your use case, but in general, allowing anyone to get information about any user of your app should be done with care. Any interaction between users should be transparent to them and agreed to. Keep in mind that users can log in to Cognito from outside your application if they can find the app ID and secret token. When giving a user access to anything, think about how it can be misused. You might realize that you should rethink how you approach the problem.

How to get user attributes (username, email, etc.) using cognito identity id

The ID Token that you exchange with Cognito federated identity service to get the identity id and credentials already has all user attributes. You do not need an extra call to any service.

Sample Image

It is a JWT token and you can use any library on the client to decode the values. You can read this guide for more information about the tokens vended by Cognito user pools.

Alternatively, you can also use the Access Token to call GetUser API which will return all the user information.

Finding user associated with a Cognito Identity

After speaking to AWS developer support I found that it's not possible to link a Cognito Identity back to a user in a Cognito User Pool

Hence, if you need to know which user your backend is executing code on behalf of, in a lambda perhaps, you have the following options:

  • Send user info inside the request. Even if the lambda invocation is authenticated with a Cognito Identity, and the lambda has access to the identity in the lambda's context, if you want user info you need to send it yourself. For exemple send the ID Token in the request, validate it server side, and extract user info from it.

  • Use Cognito Sync to create a dataset for your Cognito Identities. Store a bit of user info inside the dataset.

AWS Cognito - get user's sub in Lambda Trigger function

You can refer to this file for event structs. It's in golang, however, the same struct should be there for other languages.

Then you can retrieve the sub attribute from userAttributes object. Other fields (e.g. cognito:user_status, email, email_verified, name) could be used based on your requirement.

How to get Cognito user pool sub attribute on iOS

It seems that I have to specifically request the attributes via the user details like this:

AWSCognitoIdentityUserPool *pool = [AWSCognitoIdentityUserPool CognitoIdentityUserPoolForKey:AWSCognitoUserPoolsSignInProviderKey];
AWSCognitoIdentityUser *user = [pool currentUser];

NSString *mySub;

[[user getDetails] continueWithBlock:^id _Nullable(AWSTask<AWSCognitoIdentityUserGetDetailsResponse *> * _Nonnull task) {
    if(!task.error){
        AWSCognitoIdentityUserGetDetailsResponse *response = task.result;
        NSArray<AWSCognitoIdentityProviderAttributeType*> *userAttributes = response.userAttributes;
        for (AWSCognitoIdentityProviderAttributeType *attr in self.userAttributes) {
            if ([attr.name isEqualToString:@"sub"]) {
                mySub = attr.value;
            }
        }
    } else {
        NSLog(@"Error fetching Cognito User Attributes: %@", task.error.localizedDescription);
    }
}];

Related Topics

Accessing Actor Properties Synchronously from Task-Less Context

Error While Using Property 'Cgrectgetwidth', It Says It Was Replaced with 'Cgrect.Width'

How to Set Cadisplaylink in Swift with Weak Reference Between Target and Cadisplaylink Instance

Swift Spritekit 3D Touch and Touches Moved

Codable Decode Property with Multiple Object Types Based on Another Value

Update Firebase Multi-Location with Error: Path Is an Ancestor of Path. Swift

"Unexpectedly Found Nil While Unwrapping an Optional Value" When Retriveing Pffile from Parse.Com

Swift Function Compiler Error 'Missing Return'

Aws - Unauthenticated Access Is Not Supported for This Identity Pool in Swift

Swift Cannot Output When Using Nstimer

Swift: Ambiguous Reference to Member 'Map'

How to Decrease a Value Using Fieldvalue in Firestore (Swift)

Cannot Preview This File, App May Have Crashed -- Occurs When Inputting Specific Line of Code

Auth.Auth().Currentuser.Reload() Doesn't Refresh Currentuser.Isemailverified

What Does the Underscore in a Function Declaration Do

iOS 8 Swift Audio Playback Execute Method on Completion

Why May We Use "Internal Argument Labels" in Type Annotations of Closures, When They (Seemingly) Can Never Be Accessed

Var Declaration with Type VS Without


Leave a reply



Submit