当我使用发布向导发布并点击邮递员(https://myendpoint/Prod)我立即得到:
{“消息”:“禁止”}
我只能猜测这与http / https有关。
身份验证控制器:
public class AuthenticationController : Controller
{
[HttpPost]
[Route("api/signin")]
public async Task<ActionResult<string>> SignIn(User user)
{
var cognito = new AmazonCognitoIdentityProviderClient(RegionEndpoint.APSoutheast2);
var request = new AdminInitiateAuthRequest
{
UserPoolId = "ap-southeast-2_MYPOOLID",
ClientId = "MYCLIENTID",
AuthFlow = AuthFlowType.ADMIN_USER_PASSWORD_AUTH
};
request.AuthParameters.Add("USERNAME", user.Username);
request.AuthParameters.Add("PASSWORD", user.Password);
var response = await cognito.AdminInitiateAuthAsync(request);
return Ok(response.AuthenticationResult);
}
}
Startup.ConfigureServices
services.AddSingleton<IAuthorizationHandler, CognitoGroupAuthorisationHandler>();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidIssuer = "https://cognito-idp.ap-southeast-2.amazonaws.com/ap-southeast-2_MYPOOL",
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateLifetime = true,
ValidAudience = "MYKEY",
ValidateAudience = true
};
});
编辑#1看来我已解决了禁止的味精,但现在出现500错误。
邮递员出品:500内部服务器错误
使用API网关进行测试(Api网关->资源-> / {proxy +}->任何->测试->发布)
方法:开机自检代理设置为:/ api / signin请求正文:
{
"username": "xxx",
"password":"yyy"
}
产量:
{"Strict-Transport-Security":"max-age=2592000","ErrorType":"AmazonCognitoIdentityProviderException","X-Amzn-Trace-Id":"Root=xxxxx;Sampled=0","Content-Type":""}
确定-在某些阶段可能会帮助某人
最初的“禁止”错误实际上不是权限问题。通过向导部署API时,实际上会在URL的末尾添加“登台”目录。我没有将此添加到邮递员请求中。这很容易做到,而忽略了。有点误导-确实应该是404。
第二部分(编辑#1)500 Internal Server error。除了针对您的API启用cloudwatch日志然后进行搜索之外,没有真正的“简便”方法来解决此问题。
关注此YouTube视频,了解如何进行设置:https://www.youtube.com/watch?v=R67huNjk88w
查看日志后,我发现这是一个权限问题:
Amazon.CognitoIdentityProvider.AmazonCognitoIdentityProviderException: User: arn:aws:sts::xxxxx:assumed-role/xxx-AspNetCoreFunctionRole-xxx/bethub-AspNetCoreFunction-xxxx is not authorized to perform: cognito-idp:AdminInitiateAuth on resource: arn:aws:cognito-idp:ap-southeast-2:xxxx:userpool/ap-southeast-2_xxxxx --->
贷方转到以下文章:
https://medium.com/@fcavalcantirj/tutorial-aws-api-gateway-cognito-userpool-8cc5838eac0
具体而言,步骤2.2.4.4。当我发现Visual Studio向导可以处理几乎所有其他事情时,我只需要添加这些额外的策略即可。
{
"Version":"2012–10–17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource":"arn:aws:logs:*:*:*"
},
{
"Effect":"Allow",
"Action":[
"cognito-identity:*",
"cognito-idp:*",
"cognito-sync:*",
"iam:ListRoles",
"iam:ListOpenIdConnectProviders",
"sns:ListPratformApplications"
],
"Resource":"*"
}
]
}
策略由以下人创建和应用:
粘贴上述政策。 (如果收到有关格式错误的JSON的错误,请使用JSON框中的现有JSON,并仅从上述策略的Statement下复制花括号之间的内容-显然包括花括号本身)。
{“ Version”:“ 2012-10-17”,“声明”:[]}
转到审阅政策并完成创建
转到角色单击已登录并显示在Cloudwatch Log中的AspNetCoreFunctionRole用户。