发表新帖
发表新帖

Should I use AWS Cognito “username” or “sub” (uid) for storing in database?

后端 未结
关注
4 1426
悲哀的现实
悲哀的现实 2021-01-31 03:59

I have an authenticated user in AWS Cognito service and want to store his unique identifier in the database. Should I store user\'s username (it\'s his phone number) or his \"su

相关标签:
4条回答
  • 梦如初夏
    2021-01-31 04:29

    One of the current limitations (to this date) of Cognito is listing users, if you save the sub in your own database for identify your users, and later you try to recover information of this saved user from cognito is not possible, due aws doesn't allow filter by sub or custom attributes, so use username for saving an uuid and prefered_username as alias for real username.

    In javascript AWS.CognitoIdentityServiceProvider.ListUser, same for others.

    0 讨论(0)
  • [愿得一人]
    2021-01-31 04:31

    You should use the sub attribute. In fact, if a user with the username Erico delete his account, a new user can use this same username later and your mapping will be wrong...

    A username is always required to register a user, and it cannot be changed after a user is created.

    However

    The username must be unique within a user pool. A username can be reused, but only after it has been deleted and is no longer in use.

    Update

    You can use the sub as ID and the username as attribute in your database. This will allow you to get a user by his/her username with AdminGetUser.

    If you really need the username as ID in your database, you can either remove the user from your database when his/her account is deleted or use the "Pre Sign-up" trigger to prevent a user to use a username already in the database.

    0 讨论(0)
  • 日久生厌
    2021-01-31 04:38

    If you only want to store one, the sub is probably the way to go for the reasons you provided.

    It depends greatly on your use case, but if you need to use this database to call APIs like your example, keeping track of both/a mapping between the two is a totally valid solution.

    0 讨论(0)
  • 长发绾君心
    2021-01-31 04:42

    Reference username.

    • sub: a globally unique identifier, set by aws
    • subject: a user identifier, set by you

    You want a globally unique identifier, but you want to set it yourself.

    Why not reference sub?

    sub cannot be restored from backup.

    As of writting, Cognito does not have a native backup solution. If you mistakenly delete you must have your own backup data. Since sub is not a settable field, your user identities will no longer be associated with their former arbitrary sub values.

    Why set subject to the globally unique identifier?

    Globally unique identifiers are good practice. Using a predictable, or out-right settable identifier in a security context is the basis for several common attack patterns. See CAPEC-21: Exploitation of Trusted Identifiers and CAPEC-60: Reusing Session IDs.

    Edit. You could even use sub as your globally unique username identifier if you trust amazon's system to stay honest.

    0 讨论(0)
 看不清?
提交回复
热议问题