使用Amazon Cognito进行手动认证

问题描述 投票:0回答:1

我知道有两种方法可以验证用户身份并获得 access token,一个是通过 托管的UI 和另一个有 各种提供的SDK.

我正在寻找的是一个端点获得 access token 直接用用户凭证。

POST https://that-special-endpoint.com/login
{
 username: "[email protected]",
 password: "Abc123456",
 ...client ID, etc.
}

我找了一段时间,但没有找到如何做到这一点。这是不是因为一些我不知道的安全问题而无法实现?

我确实考虑过创建一个Lambda API并使用Cognito SDK来满足我的用例,但我不确定这是否可取......

amazon-web-services aws-lambda amazon-cognito
1个回答
1
投票

类似问题已回答 此处. 您可以访问 https://cognito-idp.[region].amazonaws.com/ 呼叫 InitiateAuthRespondToAuthChallenge APIs。

InitiateAuth

  1. 创建一个json文件。aws-auth-data.json
{
    "AuthParameters": {
        "USERNAME": "[email protected]",
        "PASSWORD": "your-first-password",
        "SECRET_HASH": "......(required if the app client is configured with a client secret)"
    },
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "5m........................"
}
  1. 发送请求 https://cognito-idp.us-east-2.amazonaws.com/ (如果用户池在 us-east-2 区域)来调用 InitiateAuth API,并启动一个认证流程。
curl -X POST --data @aws-auth-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
  1. 然后你会得到用户的令牌。
{
    "AuthenticationResult": {
        "AccessToken": "eyJra........",
        "ExpiresIn": 3600,
        "IdToken": "eyJra........",
        "RefreshToken": "eyJjd........",
        "TokenType": "Bearer"
    },
    "ChallengeParameters": {}
}

RespondToAuthChallenge

你可能会得到一个挑战,因为 InitiateAuth 响应。例如,当你进行第一次 "InitiateAuth "尝试时,你会被要求更改密码。

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ChallengeParameters": {
        "USER_ID_FOR_SRP": "abababab-......",
        "requiredAttributes": "[]",
        "userAttributes": "{\"email_verified\":\"true\",\"email\":\"[email protected]\"}"
    },
    "Session": "DNdY......"
}

在这种情况下,修改密码 RespondToAuthChallenge 你就会得到代币。

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ChallengeResponses": {
        "USERNAME": "[email protected]",
        "NEW_PASSWORD": "your-second-password"
    },
    "ClientId": "5m........................",
    "Session": "DNdYN...(what you got in the preceding response)"
}

curl -X POST --data @aws-change-password.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/

另请参见。

https:/docs.aws.amazon.comcognito-user-identity-poolslatestAPIReferenceAPI_InitiateAuth.html。

https:/docs.aws.amazon.comcognito-user-identity-poolslatestAPIReferenceAPI_RespondToAuthChallenge.html。

https:/docs.aws.amazon.comcognitolatestdeveloperguideamazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-client-side-authentication-flow。

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.