How do I access the group for a Cognito User account?
I originally expected the Cognito JavaScript API to provide a simple property or method to return the list of groups, but instead I concluded that it was buried within a token, and thus had to learn about jwt. Once the Cognito User is established and the session is retrieved, the array of groups is available within the IdToken.
var jwtDecode = require('jwt-decode');
var AmazonCognitoIdentity = require('amazon-cognito-identity-js');
var CognitoUserPool = AmazonCognitoIdentity.CognitoUserPool;
var CognitoUser = AmazonCognitoIdentity.CognitoUser;
var userPool = new CognitoUserPool({UserPoolId:'', ClientId:''");
...
app.get('/app', function(req, res){
var cognitoUser = userPool.getCurrentUser();
if(cognitoUser != null){
cognitoUser.getSession(function(err, session) {
if (err) {
console.error(err);
return;
}
console.log('session validity: ' + session.isValid());
var sessionIdInfo = jwtDecode(session.getIdToken().jwtToken);
console.log(sessionIdInfo['cognito:groups']);
});
}
});
If you're using Amplify, if you use the currentAuthenticatedUser method you can get the groups from the response using:
response.signInUserSession.idToken.payload['cognito:groups']
Or using the currentSession method you can use either of:
response.accessToken.payload['cognito:groups']
or
response.idToken.payload['cognito:groups']
If you just need the Cognito UserPools Groups the Authenticated User is a member of, instead of making a separate API call, that data is encoded in the idToken.jwtToken that you received when authenticating.
This is useful for client-side rendering/access decisions in angular/react/etc. apps.
See the "cognito:groups" array claim in this example decoded idToken.jwtToken:
{
"sub": "a18626f5-a011-454a-b4c2-6969b3155c24",
"cognito:groups": [
"uw-app-administrator",
"uw-app-user"
],
"email_verified": true,
"iss": "https://cognito-idp.<region>.amazonaws.com/<user-pool-id>",
"cognito:username": "<my-user-name>",
"given_name": "<my-first-name>",
"aud": "<audience-code>",
"token_use": "id",
"auth_time": 1493918449,
"nickname": "Bubbles",
"exp": 1493922049,
"iat": 1493918449,
"email": "<my-email>"
}
Hope this helps.