1

I'm trying to identify if the authenticated user is admin or not, by checking if it belongs to a specific group. I'm using amplify in my React application and tried several methods, such as Auth.currentUserInfo(), Auth.currentAuthenticatedUser() and also getting the jwt token to see if somehow it's returned in the token, but I didn't find any information regarding that. I saw some people saying that exists a payload cognito:groups in the token here, but that may be changed, because in my returned token it does not exists.

Another thing that I thought would work is the scope that comes in the jwt (aws.cognito.signin.user.admin), but it seems that every created user using amplify is returning this scope.

Is it possible to check if an authenticated user belongs to a group or if it's an admin user from cognito?

Maturano
  • 951
  • 4
  • 15
  • 42
  • You get two tokens back from cognito, you get an Idtoken and a Auth token. In the aws docs, you can see how one can validate the token, since you are using JS, a lot of npm packages will do this for you. I believe the IDtoken is the one that holds user info such as groups / tags. Using jwt.io you can read the contents of your tokens. – exception_thrown Sep 08 '20 at 21:39
  • Hello @PHPNoob, I tried to get the IdToken also, but it returns information such as email, auth_time, nothing regarding the groups. – Maturano Sep 08 '20 at 21:51

1 Answers1

6

You can get the user groups from the session. It is in user.signInUserSession.accessToken.payload["cognito:groups"] which will contain an array of all groups for the user.

Here is a short example:

import { Auth } from 'aws-amplify';

const user =  await Auth.currentAuthenticatedUser();

// the array of groups that the user belongs to
user.signInUserSession.accessToken.payload["cognito:groups"]
Dylan
  • 1,681
  • 11
  • 16
  • 3
    Super thanks Dylan, I tried several approaches but this one and your answer is exactly what I need, thank you again! – Maturano Sep 09 '20 at 11:46