In AWS Cognito, you can add a user to a group (after first creating a group). A user may belong to one or more groups.

With using the JavaScipt SDK (https://github.com/aws/amazon-cognito-identity-js), is there a way to read the assigned Groups? Would aws-sdk provide access over amazon-cognito-identity-js?

If you just need the Cognito UserPools Groups the Authenticated User is a member of, instead of making a separate API call, that data is encoded in the idToken.jwtToken that you received when authenticating.

This is useful for client-side rendering/access decisions in angular/react/etc. apps.

See the "cognito:groups" array claim in this example decoded idToken.jwtToken:

{
  "sub": "a18626f5-a011-454a-b4c2-6969b3155c24",
  "cognito:groups": [
    "uw-app-administrator",
    "uw-app-user"
  ],
  "email_verified": true,
  "iss": "https://cognito-idp.<region>.amazonaws.com/<user-pool-id>",
  "cognito:username": "<my-user-name>",
  "given_name": "<my-first-name>",
  "aud": "<audience-code>",
  "token_use": "id",
  "auth_time": 1493918449,
  "nickname": "Bubbles",
  "exp": 1493922049,
  "iat": 1493918449,
  "email": "<my-email>"
}

Hope this helps.

I originally expected the Cognito JavaScript API to provide a simple property or method to return the list of groups, but instead I concluded that it was buried within a token, and thus had to learn about jwt. Once the Cognito User is established and the session is retrieved, the array of groups is available within the IdToken.

var jwtDecode = require('jwt-decode');
var AmazonCognitoIdentity = require('amazon-cognito-identity-js');
var CognitoUserPool = AmazonCognitoIdentity.CognitoUserPool;
var CognitoUser = AmazonCognitoIdentity.CognitoUser;

var userPool = new CognitoUserPool({UserPoolId:'', ClientId:''");
...
app.get('/app', function(req, res){
    var cognitoUser = userPool.getCurrentUser();
    if(cognitoUser != null){
        cognitoUser.getSession(function(err, session) {
            if (err) {
                console.error(err);
                return;
            }
            console.log('session validity: ' + session.isValid());

            var sessionIdInfo = jwtDecode(session.getIdToken().jwtToken);
            console.log(sessionIdInfo['cognito:groups']);
        });
    }
});

This API does exist - AdminListGroupsForUser. The reason you're not seeing it is, as the name implies, that the API is currently only available on an admin basis. Cognito doesn't include admin APIs in the mobile SDKs. It would be included in the AWS SDKs/server side SDKs, but it's worth noting that this API does require developer credentials, as do all admin APIs.

If you're using Amplify, if you use the currentAuthenticatedUser method you can get the groups from the response using:

response.signInUserSession.idToken.payload['cognito:groups']

Or using the currentSession method you can use either of:

response.accessToken.payload['cognito:groups']

or

response.idToken.payload['cognito:groups']

You can now easily get the user groups from the user session:

session.getIdToken().decodePayload();

This contains an array of groups in the cognito:groups key returned

You do not need to decode anything, the data is already available from session.getIdToken().payload['cognito:groups']