When a User is accessing my API and they authenticate through Cognito is it possible to access the STATE of the OAUTH2 AUTH request somehow in one of the lambda triggers?
Unfortunately as per the documentation there is no way to access the state parameter in a Cognito trigger. You can however access it in your OAuth2 callback URL, it's passed as a query parameter.
Related
Amplify allows specifying multiple authorization strategies on persistence operations. I want to use Lambda authorization for some operations (mutations), and Cognito owner-based authorization for other operations (queries).
In my tests, Cognito conflicts with the Lambda authorization and Lambda execution gets skipped entirely. Is there a way around this?
I read that Lambda authorization expects a custom auth token to be provided. Can I just pass the auth token of the signed-in Cognito user to the Lambda as a "custom" token? The end goal is to have both the Lambda authorizer and the auto-generated VTL resolvers execute.
Is it it possible to find out if a user has authenticated in Cognito pool from a Node.js Lambda function?
User name (alias) is known
Thanks
Andy
If you are calling a lambda function that should only be executed by a user authenticated through Cognito, you should be looking into using API Gateway
https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
In my project we have some federation providers are integrated(e.g., outlook). So whenever user logs in via a valid configured federation domain name then no issues, but whenever a user tries to login via federation with an unsupported(not integrated) domain name (e.g., XXX#gmail.com), cognito just redirects to the same login page without showing any error message saying Unsupported Domain.
To handle error we thought of triggering the pre-authentication lambda, but pre-authentication lambda is not triggered for federation login flow. It triggers only for login via Cognito User Identity Pool.
Question is that are there any alternatives where I trigger pre-authentication lambda for federation login flow in AWS Cognito to handle error message on unsupported federation user domain name attempt?
I was working on a project in which we have to add a user in DynamoDb whenever a new user signs up, we were providing Google, Azure, and (email, password) as options for sign-in/up. Let's get straight to the point. I solved this problem by attaching my lambda to POST_CONFIRMATION_TRIGGER of Cognito and mapping identity attributes then saving these values in my DynamoDb, it works perfectly but I had to spend 2 nights figuring this out.
if you want to know, how I achieve this then let me know.
tech stack: Aws amplify, appsync, cognito, dynamoDb, lambda
PS. POST_CONFIRMATION trigger works only the first time.
You can create similar lambda function like the one that is triggered for Pre Authentication check, and then call it via API Gateway before login via federation.
The pre-authentication trigger will trigger for federated login. However, according to its aws doc, pre-authentication trigger will not happen if the user does not exist within the user pool already.
Note
Triggers are dependant on the user existing in the user pool before trigger activation.
The user from your successful federated login does not exist in cognito yet, and it will be added to the cognito pool after the successful login.
Since cognito will add the federated user to its user pool, its a sign-up event. You should use the pre-sign-up trigger instead. Federated login will trigger your pre-sign-up lambda as expected.
I have a mobile application which needs to be GDPR compliant. We're using AWS amplify and appsync, but we're unclear on how the Cognito auth token is used. Do we need to store the token in our database to associate it with users?
Our concern is that once a user is authenticated, the client will not know which userdata is associated with that identity unless we store the auth token.
You don't need to store tokens. Cognito Auth token are JWT tokens. JWT tokens can have custom payload within them. Everything you need is already included in it. You can pass literally anything like userId, phoneNumber etc... any custom data when you are issuing the tokens.
For example, if you trigger lambda with apigateway and use cognito pools for authorization you will automatically get sub etc in the claims field which you will identify user in the client (in this case client is lambda)
If you are using custom lambda authorizers you can still use cognito user pools but this time you are absolutely free to embed any custom data into token to use it later.
Play in jwt.io with your tokens and you will see whats in it already.
I have a Node.js lambda API that's called by an authenticated user. The user is able to access the API passing a valid JWT token. Now I'd like to interact with Cognito User Pool to change the user's email, password and etc but I haven't figured out how to achieve this using just the JWT.
I've made several tests using amplify-js and amazon-cognito-identity-js
You can reset the user's password by calling an admin API call, not through the JWT token. https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminResetUserPassword.html This will prompt the user for a new password.
This API call is to set a password for that particular user https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminSetUserPassword.html but I prefer the first option.
In order to change user attributes (such as email, birthday...), use https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_AdminUpdateUserAttributes.html
So all these are done using the Cognito Service inside the Lambda (not to be confused with the JWT tokens).