Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Difference between cognitoIdentityId and cognito's sub

See original GitHub issue

Which Category is your question related to? Auth What AWS Services are you utilizing? Cognito + Amplify Provide additional details e.g. code snippets

I have an authenticated user that when hitting an authenticated API, the APIGatewayEvent request identity object in the lambda function looks like the following:

APIGatewayEventRequestContext.identity: {
    accessKey: string;
    accountId: string;
    apiKey: string;
    caller: string;
    cognitoAuthenticationProvider: string;
    cognitoAuthenticationType: string;
    cognitoIdentityId: string;
    cognitoIdentityPoolId: string;
    sourceIp: string;
    user: string;
    userAgent: string;
    userArn: string;
}

In most tutorials I’ve seen people use the cognitoIdentityId as a primary key in their Dynamo DB table. This cognitoIdentityId looks along the lines of us-east-1:9383883-7c06-4e84-8637-01b966cd2323.

This looks very different than sub that’s found on cognito, which looks more like d014f2323-f1e8-4694-9d97-c223232. I’m leaning towards using sub as the primary key, however, it makes me feel a little uneasy that given the above event request identity object, the only way to retreive sub is by parsing the cognitoAuthenticationProvider key:

i.e. event.requestContext.identity.cognitoAuthenticationProvider.split(“:”)[2] // => returns sub

I guess my questions are:

Why is sub so hard to get in this object? Is it safe to do so?
What’s the purpose of cognitoIdentityId? Is it meant to be used as a public id?
Is it okay to use cognito’s sub as a primary key for a dynamo db table?

Thank you in advance

Issue Analytics

State:
Created 5 years ago
Reactions:14
Comments:12 (1 by maintainers)

Top GitHub Comments

7reactions

shan4993commented, Jul 11, 2019

Hello, there must be more implications to using one over the other. Which value, sub or identity id, should be used as a unique identifier for a user in say a dynamo table.

For instance, if a Facebook or google login api was offered in a client app along with custom login in option how would these impact sub and identity id values.

3reactions

jan-wilhelmcommented, Aug 23, 2019

Are there updates on this? @shan4993 's question is crucial to some applications!

Top Results From Across the Web

Mapping Cognito Identity Id and User Pool Id - SST.Dev

cognitoIdentityId as the user Id. This is the Id that a user is assigned through the Identity Pool. However, you cannot use this...

Suitability of AWS Cognito Identity ID for SQL primary key

I am working on a platform where unique user ID's are Identity ID's from a Amazon Cognito identity pool. Which look ...

Individuals in my organization get an "External Login is ...

The external-login-id should be the identity ID for the Amazon Cognito user. The format is <identity-region>:<cognito-user-sub> , as shown in the following ...

Create a Cognito Identity Pool | Serverless & React on AWS

We can use the Cognito User Pool as an identity provider for our serverless ... S3 bucket and prefix our files with the...

Storage - File access levels - JavaScript - AWS Amplify Docs

Files are stored under protected/{user_identity_id}/ where the user_identity_id corresponds to the unique Amazon Cognito Identity ID for that user.