AWS Cognito - How To Get User's Group From Token Object

amazon-web-services amazon-cognito aws-amplify

13,606

Solution 1

The group is in the session Object and in the idToken Payload as seen below.
The group is not there if your user is not in a group. You should be able to access it like accessToken.payload['cognito:groups'];

I happen to have a cognito session object handy for a user in a group, which shows all tokens and all their payloads. As well as what you get when you get the user attributes.

session:

{
   "idToken":{
      "jwtToken":"eyJraWQiOiJQS1wvMHNNMlk...",
      "payload":{
         "sub":"ceb234234-b0e0-4c3d-8abc-af08c002b4de",
         "cognito:groups":[
            "user"
         ],
         "email_verified":true,
         "iss":"https://cognito-idp.us-east-2.amazonaws.com/us-east-2_sinJIhGA8",
         "phone_number_verified":false,
         "cognito:username":"ceba8336-b0e0-4c3d-8abc-af08c002b4de",
         "aud":"203e1rl2o1d8d5chhs9v6s1i79",
         "event_id":"89502ffe-d2fe-11e8-8427-1b3482253d90",
         "token_use":"id",
         "auth_time":1539885130,
         "exp":1539888730,
         "iat":1539885130,
         "email":"[email protected]"
      }
   },
   "refreshToken":{
      "token":"eyJjdHkiOiJKV1QiLCJlb..."
   },
   "accessToken":{
      "jwtToken":"eyJraWQiOiI4N2pRRnpqSm..",
      "payload":{
         "sub":"ceba8336-b0e0-4c3d-8abc-af08c002b4de",
         "device_key":"us-east-2_94234234234b-4cec-ae49-b1f90555d979",
         "cognito:groups":[
            "user"
         ],
         "iss":"https://cognito-idp.us-east-2.amazonaws.com/us-east-2_sinJIhGA8",
         "client_id":"203e1rl223423hhs9v6s1i79",
         "event_id":"895234fe-d2fe-11e8-8427-1b3482253d90",
         "token_use":"access",
         "scope":"aws.cognito.signin.user.admin",
         "auth_time":1539885130,
         "exp":1539888730,
         "iat":1539885130,
         "jti":"936fd8f9-c091-4f642345f-ba9454f16b9c",
         "username":"ceba83362342-4c3d-8abc-af08c002b4de"
      }
   },
   "clockDrift":0
}

userAttributes:

{  
   "details":[  
      {  
         "Name":"sub",
         "Value":"ceba8336-4234-4c3d-8abc-af08c002b4de"
      },
      {  
         "Name":"email_verified",
         "Value":"true"
      },
      {  
         "Name":"phone_number_verified",
         "Value":"false"
      },
      {  
         "Name":"email",
         "Value":"[email protected]"
      }
   ]
}

Solution 2

If someone is using Amplify


Auth.currentAuthenticatedUser()
.then(data => console.log(data.signInUserSession.accessToken.payload['cognito:groups']));

13,606

Author by

Preston

Typical Silicon Valley entrepreneur. Focused on developing projects with the Internet platform model. Do some coding but also hire it out to freelancers. Currently developing single page Web apps with Angular / Material on the front and the Nestjs / TypeORM stack on the server with a Postgresql db.

Updated on July 19, 2022

Comments

Preston almost 2 years

I can see the user's assigned User Pool group in the returned user data object in the console after logging in. Everything I've tried to assign the group to a variable has failed. What am I missing? I can easily get the client_id, JWT's, and attributes.

The object path:

let userGroup = user.signInUserSession.accessToken.payload.cognito.groups[0];

However, this works:

user.signInUserSession.accessToken.payload.client_id;

This section of the object looks like this. I can retrieve the token, the user name, almost anything but groups.

signInUserSession: CognitoUserSession
    accessToken: CognitoAccessToken
        jwtToken: ...
        payload:
            auth_time: 1539824552
            client_id: "5u7o1o1...."
            cognito:groups: Array(1)
                0: "admin-full"
                length: 1
        ... more properties here...
        token_use: "access"
        username: "me"

I'm using Angular 6 and AWS-Amplify but I doubt that matters. Part of my code:

constructor(
    private amplifyService: AmplifyService,
  ) {}

this.amplifyService.auth().currentAuthenticatedUser()
      .then(user => {
         console.log('user data in checkLogin: ', user); // The whole object.
         console.log('user token in checkLogin: ', user.signInUserSession.accessToken.jwtToken); // Retrieves the token.

My whole session object for clarification:

CognitoUser {username: "me", pool: CognitoUserPool, Session: null, client: Client, signInUserSession: CognitoUserSession, …}
Session: null
attributes: {phone_number: "########", locale: "Silicon Valley", given_name: "J", family_name: "Preston", email: "[email protected]"}
authenticationFlowType: "USER_SRP_AUTH"
client: Client {endpoint: "https://cognito-idp.us-west-2.amazonaws.com/", userAgent: "aws-amplify/0.1.x js"}
pool: CognitoUserPool {userPoolId: "us-west-2_UW9KsJm0o", clientId: "5u7o1o1v288e...", client: Client, advancedSecurityDataCollectionFlag: true, storage: Storage}
preferredMFA: "NOMFA"
signInUserSession: CognitoUserSession
accessToken: CognitoAccessToken
jwtToken: "eyJraWQiOiJwaUdRSnc..."
payload:
auth_time: 1539881072
client_id: "5u7o1o1v2..."
cognito:groups: ["admin"]
event_id: "168d9cc3-d2f5-11e8-ae71-f734087f965a"
exp: 1539884672
iat: 1539881072
iss: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_UW9KsJm0o"
jti: "13c4c552-ee70-4f8a-b64d-f95e0bdc81cf"
scope: "aws.cognito.signin.user.admin openid"
sub: "96a047b2-ae9a-42ff-af09-fc1c0802b88f"
token_use: "access"
username: "me"
version: 2
__proto__: Object
__proto__: CognitoJwtToken
clockDrift: 0
idToken: CognitoIdToken {jwtToken: "eyJraWQiOiI...", payload: {…}}
refreshToken: CognitoRefreshToken {token: ""}
__proto__: Object
storage: Storage {CognitoIdentityServiceProvider.5u7o1o1....LastAuthUser: "me", CognitoIdentityServiceProvider.5u7o1o1v....jimadmin.accessToken: "eyJraWQiOiJ...", CognitoIdentityServiceProvider.5u7o1o1....jimadmin.idToken: "eyJraWQiOiI3...", CognitoIdentityServiceProvider.5u7o1o1....jimadmin.refreshToken: "", CognitoIdentityServiceProvider.5u7o1o1....jimadmin.tokenScopesString: "email openid aws.cognito.signin.user.admin", …}
username: "me"

Preston over 5 years

The assigned group is in the object returned by Cognito. I can see it there along with all the other data and JWT's. Since it lives there I want to use it to determine which parts of the application the user can visit. I'll build out the returned object a bit more with an edit to make this clear.
Ryan Breece over 5 years

Adding more to my answer.
Preston over 5 years

I have mostly the same properties in my console but I also have cognito:groups. That is what I'm showing above. I have no idea why you aren't getting the groups included. I'll edit and add some of my code for clarity.
Preston over 5 years

The answer is: this.userGroup = user.signInUserSession.accessToken.payload['cognito:groups']‌; The var holds an array with my user group/s. Thanks! I tried [] before but not the ' '. They made the difference.
Ryan Breece over 5 years

I have edited my answer. It was my fault, the user I was testing with wasn't associated with a group..
Preston over 5 years

Well, we put everything for this issue out there so hopefully it will help others. :-)
Žilvinas over 4 years

I have no idea why my session property value is null?