Issues with Identities provided by AWS Cognito as Custom JWT Provider

Hello all,

We are currently using AWS Cognito as our custom JWT authentication provider with our client Realm app. We have the whole flow working smoothly and have end-users interacting with our mobile app with no problems regarding authentication whatsoever. However, we have been trying to come up with a solution to creating backups of our infrastructure and data and getting stuck on one particular point, which is restoring user auth information.

When a user submits their credentials to Cognito, an Id token is retrieved from the response that has all the fields and information that we expect to see. This includes the ‘sub’ value. The ‘sub’ value is generated to be universally unique for each user by Cognito while a user is being created and is immutable. When the Id token is passed onto the Realm app as JWT credentials, a new app user is created if none exist or retrieved if it exists. Realm uses the ‘sub’ value received from Cognito and we can observe this in the identities array of the Realm app user object.

The catch, and the source of our problems, is that the ‘sub’ value generated by Cognito cannot be restored when restoring user data from backups. It is generated from scratch even if you are restoring a lost user account from an earlier backup and you know the previous ‘sub’ value. In such an event, since Realm keeps the old ‘sub’ value as the user’s identity, which is now lost, we have no means of linking this existing Realm user to their new ‘sub’ generated by Cognito.

We have been in contact with AWS about this and learned that we have no power over the ‘sub’ value or the token itself. So, we were hoping that there is a way for us to manage this from Realm. Ideally, we would be able to use a custom value as the value of the ‘id’ field within the identities array of the user instead of the ‘sub’ value automatically. However, we couldn’t figure out how to achieve this. So, we were wondering if there is a way of doing this without having to go the Custom Function Authentication route. Lastly, if that is a must, how would we go about migrating our existing Realm app users to this new method. Would that be done via identity linking?

Any help on this lengthy issue is very much appreciated.
-Cagri

Hello @CagriC
Sorry i wont be able to help you about your issue but i would like to setup aws cognito with mongodb atlas and it seems like you have done it.
I did not see any documentation about it and even in the configuration page of custom JWT authentication i dont see any field talking about authentication url where i could put my cognito information to validate the JWT token once someone is trying to use the graphql endpoint.

So i would like to know how you did to setup the JWT authenticator for cognito?
Did you use custom JWT authenticator? if yes , what parameter did you put?
Did you use custom function authenticator? if yes, could you share the function?

Thank you for your help

Hello @cyril_moreau

Figuring out the JWT configuration between Realm and Cognito was a bit tricky when you’re trying to figure out the parameters, but very straightforward when you do to set up once you figure out the parameters. Here is the configuration screen we have:

CleanShot 2022-11-04 at 07.07.52@2x3110×1492 354 KB

The JWK URI has the same pattern for all Cognito pools. Once you construct that URI using your own pool information, see if you can open it in a browser, you should be able to view a JSON response when you open that URI on a browser.

• Cognito pool’s region where the red box is.
• Cognito pool’s ID where the orange box is.
• Cognito App client ID where the yellow box is. The client ID is the relevant one at the bottom of the App Integration tab on the Cognito console of your user pool.

We are not using GraphQL, though, so I can’t help you if there are additional steps required to configure GraphQL endpoints with JWT.

Thank you for the information, it works now