Identify the authorized cognito user in the controller

After succesfully connecting RubyOnJets with a Cognito Userpool, we are able to login and access the different controllers. However I would like to know which user performed which task for auditing and other purposes. e.g., You are allowed to request leave, but only for yourself (obviously I can specify the user client side, but that is a security risk).
It would be nice if this was available through
I believe this needs to be done in the API Gateway

event[‘requestContext’] currently looks like:
requestContext: {
“requestTime”=>“26/Nov/2020:14:37:16 +0000”,
“identity”: {
“userAgent”=>“Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:84.0) Gecko/20100101 Firefox/84.0”,

It doesn’t look like this request didn’t wasn’t authorized through Cognito.


did you specify an authorizer for the controller action that returned the above result?

(I also recommend censoring the domainName).

1 Like

Sorry, I seem to have forgotten that I had disabled it.
I found the data in

Awesome! I use

event.dig(:requestContext, :authorizer, :claims, :sub)

to access the data.

Cool, thanks.
That solves the issue of when event[‘requestContext’] would be nil
Do you have a way to add users/fetch a list of groups/users from cognito as well?
Or do I need to do the following

cognitoidentity =
  region: region_name,
  credentials: credentials,
  # ...

I mainly use the admin_ methods for my Cognito operations:

Do you modify the i_am_role jets created or do you create a new one?
And do you create the client and how do you interact?

class GroupsController < ApplicationController
  authorizer "main#my_cognito"
  def index
    access_key_id ='foo'
    secret_access_key = 'secr3t'
    session_token = nil
    credentials =, secret_access_key, session_token)

    region_name = MainAuthorizer.cognito_authorizers.first.dig(:definition)["{namespace}_authorizer"].dig(:properties, :provider_arns).first.split('/')[1].split('_')[0]

    client =
      region: region_name,
      credentials: credentials
    @response = client.list_groups(
      user_pool_id: pool_id
    render json: @response

I am not sure what you are trying to do in your code example. Is this an admin interface to manage users in your pool and group? I would leave that to the AWS console.