Is it safe to expose and use $ctx.identity.cognitoIdentityId as a user's public Id? Exposing cognitoIdentityId feels leaky because of the region information.
I am using AWS Identity and Access Management (IAM) as my Authorization type.
I am not sure if this is relevant but my identity pool does allow for unauthenticated identities.
Thanks!
A Cognito identity id is guaranteed to be unique in the region in which it exists, however there is one case in which it could change: identity merges.
Say you have signed in to Facebook to use your app on your phone, but use a Cognito User Pool on your tablet. If you were to want to link those accounts at some point, you would need to sign in with both login tokens once, after that providing a either token would suffice. During this single login, though, an identity merge would be kicked off. The result of this merge would be one disabled identity id, and one active id that owns both tokens. Cognito treats this process entirely randomly - it could be either that is disabled.
It's altogether possible that does not apply to your app, but if you have multiple configured providers, it's something to consider. You'd have to intercept these kinds of events and update your data store accordingly.
As far as leaking the id itself, that's a fair concern. In addition to it just looking funny with the region prefix that a non-AWS developer wouldn't understand, it could have some security risks (depending on permissions you have linked to that type of user). I might recommend some hash or encoding to obfuscate it a bit.