AWS Cognito - How To Get User's Group From Token Object
Solution 1
The group is in the session Object and in the idToken Payload as seen below.
The group is not there if your user is not in a group.
You should be able to access it like accessToken.payload['cognito:groups'];
I happen to have a cognito session object handy for a user in a group, which shows all tokens and all their payloads. As well as what you get when you get the user attributes.
session:
{
"idToken":{
"jwtToken":"eyJraWQiOiJQS1wvMHNNMlk...",
"payload":{
"sub":"ceb234234-b0e0-4c3d-8abc-af08c002b4de",
"cognito:groups":[
"user"
],
"email_verified":true,
"iss":"https://cognito-idp.us-east-2.amazonaws.com/us-east-2_sinJIhGA8",
"phone_number_verified":false,
"cognito:username":"ceba8336-b0e0-4c3d-8abc-af08c002b4de",
"aud":"203e1rl2o1d8d5chhs9v6s1i79",
"event_id":"89502ffe-d2fe-11e8-8427-1b3482253d90",
"token_use":"id",
"auth_time":1539885130,
"exp":1539888730,
"iat":1539885130,
"email":"[email protected]"
}
},
"refreshToken":{
"token":"eyJjdHkiOiJKV1QiLCJlb..."
},
"accessToken":{
"jwtToken":"eyJraWQiOiI4N2pRRnpqSm..",
"payload":{
"sub":"ceba8336-b0e0-4c3d-8abc-af08c002b4de",
"device_key":"us-east-2_94234234234b-4cec-ae49-b1f90555d979",
"cognito:groups":[
"user"
],
"iss":"https://cognito-idp.us-east-2.amazonaws.com/us-east-2_sinJIhGA8",
"client_id":"203e1rl223423hhs9v6s1i79",
"event_id":"895234fe-d2fe-11e8-8427-1b3482253d90",
"token_use":"access",
"scope":"aws.cognito.signin.user.admin",
"auth_time":1539885130,
"exp":1539888730,
"iat":1539885130,
"jti":"936fd8f9-c091-4f642345f-ba9454f16b9c",
"username":"ceba83362342-4c3d-8abc-af08c002b4de"
}
},
"clockDrift":0
}
userAttributes:
{
"details":[
{
"Name":"sub",
"Value":"ceba8336-4234-4c3d-8abc-af08c002b4de"
},
{
"Name":"email_verified",
"Value":"true"
},
{
"Name":"phone_number_verified",
"Value":"false"
},
{
"Name":"email",
"Value":"[email protected]"
}
]
}
Solution 2
If someone is using Amplify
Auth.currentAuthenticatedUser()
.then(data => console.log(data.signInUserSession.accessToken.payload['cognito:groups']));
Preston
Typical Silicon Valley entrepreneur. Focused on developing projects with the Internet platform model. Do some coding but also hire it out to freelancers. Currently developing single page Web apps with Angular / Material on the front and the Nestjs / TypeORM stack on the server with a Postgresql db.
Updated on July 19, 2022Comments
-
Preston almost 2 years
I can see the user's assigned User Pool group in the returned user data object in the console after logging in. Everything I've tried to assign the group to a variable has failed. What am I missing? I can easily get the client_id, JWT's, and attributes.
The object path:
let userGroup = user.signInUserSession.accessToken.payload.cognito.groups[0];
However, this works:
user.signInUserSession.accessToken.payload.client_id;
This section of the object looks like this. I can retrieve the token, the user name, almost anything but groups.
signInUserSession: CognitoUserSession accessToken: CognitoAccessToken jwtToken: ... payload: auth_time: 1539824552 client_id: "5u7o1o1...." cognito:groups: Array(1) 0: "admin-full" length: 1 ... more properties here... token_use: "access" username: "me"
I'm using Angular 6 and AWS-Amplify but I doubt that matters. Part of my code:
constructor( private amplifyService: AmplifyService, ) {} this.amplifyService.auth().currentAuthenticatedUser() .then(user => { console.log('user data in checkLogin: ', user); // The whole object. console.log('user token in checkLogin: ', user.signInUserSession.accessToken.jwtToken); // Retrieves the token.
My whole session object for clarification:
CognitoUser {username: "me", pool: CognitoUserPool, Session: null, client: Client, signInUserSession: CognitoUserSession, …} Session: null attributes: {phone_number: "########", locale: "Silicon Valley", given_name: "J", family_name: "Preston", email: "[email protected]"} authenticationFlowType: "USER_SRP_AUTH" client: Client {endpoint: "https://cognito-idp.us-west-2.amazonaws.com/", userAgent: "aws-amplify/0.1.x js"} pool: CognitoUserPool {userPoolId: "us-west-2_UW9KsJm0o", clientId: "5u7o1o1v288e...", client: Client, advancedSecurityDataCollectionFlag: true, storage: Storage} preferredMFA: "NOMFA" signInUserSession: CognitoUserSession accessToken: CognitoAccessToken jwtToken: "eyJraWQiOiJwaUdRSnc..." payload: auth_time: 1539881072 client_id: "5u7o1o1v2..." cognito:groups: ["admin"] event_id: "168d9cc3-d2f5-11e8-ae71-f734087f965a" exp: 1539884672 iat: 1539881072 iss: "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_UW9KsJm0o" jti: "13c4c552-ee70-4f8a-b64d-f95e0bdc81cf" scope: "aws.cognito.signin.user.admin openid" sub: "96a047b2-ae9a-42ff-af09-fc1c0802b88f" token_use: "access" username: "me" version: 2 __proto__: Object __proto__: CognitoJwtToken clockDrift: 0 idToken: CognitoIdToken {jwtToken: "eyJraWQiOiI...", payload: {…}} refreshToken: CognitoRefreshToken {token: ""} __proto__: Object storage: Storage {CognitoIdentityServiceProvider.5u7o1o1....LastAuthUser: "me", CognitoIdentityServiceProvider.5u7o1o1v....jimadmin.accessToken: "eyJraWQiOiJ...", CognitoIdentityServiceProvider.5u7o1o1....jimadmin.idToken: "eyJraWQiOiI3...", CognitoIdentityServiceProvider.5u7o1o1....jimadmin.refreshToken: "", CognitoIdentityServiceProvider.5u7o1o1....jimadmin.tokenScopesString: "email openid aws.cognito.signin.user.admin", …} username: "me"
-
Preston over 5 yearsThe assigned group is in the object returned by Cognito. I can see it there along with all the other data and JWT's. Since it lives there I want to use it to determine which parts of the application the user can visit. I'll build out the returned object a bit more with an edit to make this clear.
-
Ryan Breece over 5 yearsAdding more to my answer.
-
Preston over 5 yearsI have mostly the same properties in my console but I also have cognito:groups. That is what I'm showing above. I have no idea why you aren't getting the groups included. I'll edit and add some of my code for clarity.
-
Preston over 5 yearsThe answer is: this.userGroup = user.signInUserSession.accessToken.payload['cognito:groups']; The var holds an array with my user group/s. Thanks! I tried [] before but not the ' '. They made the difference.
-
Ryan Breece over 5 yearsI have edited my answer. It was my fault, the user I was testing with wasn't associated with a group..
-
Preston over 5 yearsWell, we put everything for this issue out there so hopefully it will help others. :-)
-
Žilvinas over 4 yearsI have no idea why my session property value is null?