Should I use AWS Cognito “username” or “sub” (uid) for storing in database?

Question

I have an authenticated user in AWS Cognito service and want to store his unique identifier in the database. Should I store user\'s username (it\'s his phone number) or his \"su

Answer 1

Reference username.

• sub: a globally unique identifier, set by aws
• subject: a user identifier, set by you

You want a globally unique identifier, but you want to set it yourself.

Why not reference sub?

sub cannot be restored from backup.

As of writting, Cognito does not have a native backup solution. If you mistakenly delete you must have your own backup data. Since sub is not a settable field, your user identities will no longer be associated with their former arbitrary sub values.

Why set subject to the globally unique identifier?

Globally unique identifiers are good practice. Using a predictable, or out-right settable identifier in a security context is the basis for several common attack patterns. See CAPEC-21: Exploitation of Trusted Identifiers and CAPEC-60: Reusing Session IDs.

Edit. You could even use sub as your globally unique username identifier if you trust amazon's system to stay honest.