我知道有两种方法可以验证用户身份并获得 access token
,一个是通过 托管的UI 和另一个有 各种提供的SDK.
我正在寻找的是一个端点获得 access token
直接用用户凭证。
POST https://that-special-endpoint.com/login
{
username: "[email protected]",
password: "Abc123456",
...client ID, etc.
}
我找了一段时间,但没有找到如何做到这一点。这是不是因为一些我不知道的安全问题而无法实现?
我确实考虑过创建一个Lambda API并使用Cognito SDK来满足我的用例,但我不确定这是否可取......
类似问题已回答 此处. 您可以访问 https://cognito-idp.[region].amazonaws.com/
呼叫 InitiateAuth
和 RespondToAuthChallenge
APIs。
InitiateAuth
aws-auth-data.json
{
"AuthParameters": {
"USERNAME": "[email protected]",
"PASSWORD": "your-first-password",
"SECRET_HASH": "......(required if the app client is configured with a client secret)"
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "5m........................"
}
https://cognito-idp.us-east-2.amazonaws.com/
(如果用户池在 us-east-2
区域)来调用 InitiateAuth
API,并启动一个认证流程。curl -X POST --data @aws-auth-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
{
"AuthenticationResult": {
"AccessToken": "eyJra........",
"ExpiresIn": 3600,
"IdToken": "eyJra........",
"RefreshToken": "eyJjd........",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
RespondToAuthChallenge
你可能会得到一个挑战,因为 InitiateAuth
响应。例如,当你进行第一次 "InitiateAuth "尝试时,你会被要求更改密码。
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeParameters": {
"USER_ID_FOR_SRP": "abababab-......",
"requiredAttributes": "[]",
"userAttributes": "{\"email_verified\":\"true\",\"email\":\"[email protected]\"}"
},
"Session": "DNdY......"
}
在这种情况下,修改密码 RespondToAuthChallenge
你就会得到代币。
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeResponses": {
"USERNAME": "[email protected]",
"NEW_PASSWORD": "your-second-password"
},
"ClientId": "5m........................",
"Session": "DNdYN...(what you got in the preceding response)"
}
curl -X POST --data @aws-change-password.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
另请参见。
https:/docs.aws.amazon.comcognito-user-identity-poolslatestAPIReferenceAPI_InitiateAuth.html。