How do I access the group for a Cognito User accou

2020-02-08 15:22发布

站内问答 / 移动开发
593 6 6

In AWS Cognito, you can add a user to a group (after first creating a group). A user may belong to one or more groups.

With using the JavaScipt SDK (https://github.com/aws/amazon-cognito-identity-js), is there a way to read the assigned Groups? Would aws-sdk provide access over amazon-cognito-identity-js?

6条回答
Lonely孤独者°
2楼-- · 2020-02-08 15:39

You do not need to decode anything, the data is already available from session.getIdToken().payload['cognito:groups']

查看更多
0人赞 添加讨论(0) 举报
ゆ 、 Hurt°
3楼-- · 2020-02-08 15:40

You can now easily get the user groups from the user session:

session.getIdToken().decodePayload();

This contains an array of groups in the cognito:groups key returned

查看更多
0人赞 添加讨论(0) 举报
Evening l夕情丶
4楼-- · 2020-02-08 15:47

I originally expected the Cognito JavaScript API to provide a simple property or method to return the list of groups, but instead I concluded that it was buried within a token, and thus had to learn about jwt. Once the Cognito User is established and the session is retrieved, the array of groups is available within the IdToken.

var jwtDecode = require('jwt-decode');
var AmazonCognitoIdentity = require('amazon-cognito-identity-js');
var CognitoUserPool = AmazonCognitoIdentity.CognitoUserPool;
var CognitoUser = AmazonCognitoIdentity.CognitoUser;

var userPool = new CognitoUserPool({UserPoolId:'', ClientId:''");
...
app.get('/app', function(req, res){
    var cognitoUser = userPool.getCurrentUser();
    if(cognitoUser != null){
        cognitoUser.getSession(function(err, session) {
            if (err) {
                console.error(err);
                return;
            }
            console.log('session validity: ' + session.isValid());

            var sessionIdInfo = jwtDecode(session.getIdToken().jwtToken);
            console.log(sessionIdInfo['cognito:groups']);
        });
    }
});
查看更多
0人赞 添加讨论(0) 举报
爱情/是我丢掉的垃圾
5楼-- · 2020-02-08 15:51

If you just need the Cognito UserPools Groups the Authenticated User is a member of, instead of making a separate API call, that data is encoded in the idToken.jwtToken that you received when authenticating.

This is useful for client-side rendering/access decisions in angular/react/etc. apps.

See the "cognito:groups" array claim in this example decoded idToken.jwtToken:

{
  "sub": "a18626f5-a011-454a-b4c2-6969b3155c24",
  "cognito:groups": [
    "uw-app-administrator",
    "uw-app-user"
  ],
  "email_verified": true,
  "iss": "https://cognito-idp.<region>.amazonaws.com/<user-pool-id>",
  "cognito:username": "<my-user-name>",
  "given_name": "<my-first-name>",
  "aud": "<audience-code>",
  "token_use": "id",
  "auth_time": 1493918449,
  "nickname": "Bubbles",
  "exp": 1493922049,
  "iat": 1493918449,
  "email": "<my-email>"
}

Hope this helps.

查看更多
0人赞 添加讨论(0) 举报
做自己的国王
6楼-- · 2020-02-08 15:53

This API does exist - AdminListGroupsForUser. The reason you're not seeing it is, as the name implies, that the API is currently only available on an admin basis. Cognito doesn't include admin APIs in the mobile SDKs. It would be included in the AWS SDKs/server side SDKs, but it's worth noting that this API does require developer credentials, as do all admin APIs.

查看更多
0人赞 添加讨论(0) 举报
Lonely孤独者°
7楼-- · 2020-02-08 16:02

If you're using Amplify, if you use the currentAuthenticatedUser method you can get the groups from the response using:

response.signInUserSession.idToken.payload['cognito:groups']

Or using the currentSession method you can use either of:

response.accessToken.payload['cognito:groups']

or

response.idToken.payload['cognito:groups']
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)