问题
I have an authenticated user in AWS Cognito service and want to store his unique identifier in the database. Should I store user's username (it's his phone number) or his "sub" (it's his uid)? All Amazon API functions like AdminGetUser are using "username" parameter, but not sub/uid.
But I also read that article and the author said "Always generate the policy on value of 'sub' claim and not for 'username' because username is reassignable. Sub is UUID for a user which is never reassigned to another user."
So, now I'm hesitating what I have to use as unique user identifier - "username" or "sub"
Thank you.
回答1:
You should use the sub attribute. In fact, if a user with the username Erico delete his account, a new user can use this same username later and your mapping will be wrong...
A username is always required to register a user, and it cannot be changed after a user is created.
However
The username must be unique within a user pool. A username can be reused, but only after it has been deleted and is no longer in use.
Update
You can use the sub as ID and the username as attribute in your database. This will allow you to get a user by his/her username with AdminGetUser.
If you really need the username as ID in your database, you can either remove the user from your database when his/her account is deleted or use the "Pre Sign-up" trigger to prevent a user to use a username already in the database.
回答2:
One of the current limitations (to this date) of Cognito is listing users, if you save the sub in your own database for identify your users, and later you try to recover information of this saved user from cognito is not possible, due aws doesn't allow filter by sub or custom attributes, so use username for saving an uuid and prefered_username as alias for real username.
In javascript AWS.CognitoIdentityServiceProvider.ListUser, same for others.
回答3:
If you only want to store one, the sub is probably the way to go for the reasons you provided.
It depends greatly on your use case, but if you need to use this database to call APIs like your example, keeping track of both/a mapping between the two is a totally valid solution.
来源:https://stackoverflow.com/questions/39223347/should-i-use-aws-cognito-username-or-sub-uid-for-storing-in-database