我想将所有现有用户从 AWS Cognito 池移至 Auth0。最好使用现有密码,或者如果必须更改密码,则使用即时迁移。我在网上看到了将 Okta/Stormpath 等用户迁移到 auth0 的用户指南,但没有看到任何有关 cognito 到 autho inegration 的内容。任何指针都会有帮助。
将用户导入Auth0有两种方式:
目前,确实没有简单的方法可以将用户从 AWS Cognito 中导出。即使您这样做了,导出的用户配置文件也不会包含用户的哈希密码,因此用户在迁移到 Auth0 作为身份提供商后需要重置其帐户密码。不理想。所以批量迁移是不可能的。
相反,自动迁移可能是正确的选择。您必须在 Auth0 中配置自定义数据库并将其指向您的 AWS Cognito 用户池并定义两个脚本:一个用于获取用户,另一个用于登录用户。
AWS 默认情况下不会通过 API 公开这些端点,但它们在 amazon-cognito-identity-js npm 包中确实具有类似的功能(根据文档中的场景 4)。
感谢@yvovandoorn编写了javascript代码,您可以在Auth0自定义数据库
get-userloginget-user.js/*
Requires Auth0 Global Variables to be set - https://auth0.com/docs/rules/configure-global-variables-for-rules
If testing locally (or not wanting to use Auth0 Global Variables):
const configuration = {
"accessKeyId": "your-cognito-access-key",
"secretAccessKey": "your-cognito-secret-access-key",
"region": "your-aws-region",
"UserPoolId": "your-aws-user-pool"
*/
function getUser(username, callback) {
const userParameters = ["email", "email_verified", "custom:designation"];
const AWS = require('[email protected]');
AWS.config.update({ "accessKeyId": configuration.accessKeyId, "secretAccessKey": configuration.secretAccessKey, "region": configuration.region });
const cognito = new AWS.CognitoIdentityServiceProvider();
cognito.adminGetUser({
UserPoolId: configuration.UserPoolId,
Username: username
}, (err, data) => {
if (err) {
console.log(err);
if (err.code === "UserNotFoundException") return callback(null);
else callback(err);
}
else {
console.log(data);
if (data.code === "UserNotFoundException") return callback(null);
else {
let profile = {
"user_id": data.UserAttributes.find(item=>item.Name==="sub").Value,
"username": data.Username,
};
userParameters.forEach(customParameterName => {
profile[customParameterName] = data.UserAttributes.find(item=>item.Name===customParameterName).Value;
});
return callback(null, profile);
}
}
});
}
login.js/*
Read StackOverflow article about potential window issue: https://stackoverflow.com/questions/40219518/aws-cognito-unauthenticated-login-error-window-is-not-defined-js
Requires Auth0 Global Variables to be set - https://auth0.com/docs/rules/configure-global-variables-for-rules
If testing locally (or not wanting to use Auth0 Global Variables):
const configuration = {
"ClientId": "your-aws-client-id",
"UserPoolId": "your-aws-user-pool-id"
*/
function login(username, password, callback) {
global.fetch = require('[email protected]');
var AmazonCognitoIdentity = require('[email protected]');
var poolData = {
UserPoolId: configuration.UserPoolId,
ClientId: configuration.ClientId
};
var userPool = new AmazonCognitoIdentity.CognitoUserPool(poolData);
var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails({
Username: username,
Password: password
});
var userData = {
Username: username,
Pool: userPool
};
var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function (result) {
//console.log(result);
var idTokenPayload = result.getIdToken().payload;
console.log(idTokenPayload);
var profile = {
user_id: idTokenPayload.sub,
email: idTokenPayload.email,
/* might want to set this to false if you're not validating email addresses */
email_verified: true,
};
console.log({ result, idTokenPayload, profile });
callback(null, profile);
},
onFailure: (function (err) {
return callback(new WrongUsernameOrPasswordError(username))
})
});
}