AWS Cognito外部用户池身份提供者(OIDC)

问题描述 投票:0回答:1

我正在将Cognito App Client与外部提供商集成(Twitch)用户身份验证工作正常,但是由于Cognito使用了来自身份验证服务器的代码,因此我不确定应如何发送带有令牌的Twitch请求,而我通常会从twitch中获得令牌,而Cognito不会使用此代码。我只有Cognito代码,可以在https:// {my-domain} / oauth2 / token请求中使用该代码来交换Cognito令牌。请求返回id_token,access_token和refresh_token,这些解码后的样子ID令牌

{
  "at_hash": "yTNkeTAqzqcXCYi3yLL2Pw",
  "sub": "3cfba641-4058-475f-9818-17291175fd31",
  "cognito:groups": [
    "us-east-1_xxxxxxxxxxxx"
  ],
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
  "cognito:username": "xxxxxxxxxxxx",
  "preferred_username": "xxxxxxxxxxxx",
  "nonce": "SxxlipCDVbXbcXa1H7Uf9_nM0uOurAAObUVCyreBDDux99QoAngUoiGdE0me-0Zon6fEVLLTSqD4EN1Y6_lFm48MaoBaxyywZCQKOT70gfQEfkuhlsjImJd1ko3qH3QKdlmvWSPCUZoACPYNSgR364VPELyQTVMkRTCt9eYROag",
  "aud": "35l1cn53cnj9sv1ndu8u01amk0",
  "identities": [
    {
      "userId": "xxxxxxxxxxxx",
      "providerName": "xxxxxxxxxxxx",
      "providerType": "OIDC",
      "issuer": null,
      "primary": "true",
      "dateCreated": "1588191000072"
    }
  ],
  "token_use": "id",
  "auth_time": 1588191003,
  "exp": 1588194603,
  "iat": 1588191003
}

访问令牌

{
  "sub": "3cfba641-4058-475f-9818-17291175fd31",
  "cognito:groups": [
    "us-east-1_xxxxxxxxxxxx"
  ],
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin phone openid profile email",
  "auth_time": 1588191003,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
  "exp": 1588194603,
  "iat": 1588191003,
  "version": 2,
  "jti": "55863213-c764-4b07-a386-a9c93d14e4b2",
  "client_id": "xxxxxxxxxxxx",
  "username": "xxxxxxxxxxxx"
}

如何获取用户令牌以调用Twitch API(例如,具有授权用户令牌的GET https://api.twitch.tv/helix/users端点)

amazon-cognito openid-connect federated-identity
1个回答
0
投票
注意-执行此操作会将这些属性公开给客户端。在cloudFormation中添加DeveloperOnlyAttribute: true将其隐藏。我不确定如何从控制台执行此操作

解决方案是在用户池中创建自定义属性,然后为身份提供者映射这些属性。看起来像:

refresh_token: 'custom:refresh_token' id_token: 'custom:id_token' access_token: 'access:refresh_token'

用于此的Cloudformation模板:

用户池

.... Schema: [ { AttributeDataType: 'String', DeveloperOnlyAttribute: true, Mutable: true, Name: 'refresh_token', Required: false, }, { AttributeDataType: 'String', DeveloperOnlyAttribute: true, Mutable: true, Name: 'access_token', Required: false, }, { AttributeDataType: 'String', DeveloperOnlyAttribute: true, Mutable: true, Name: 'id_token', Required: false, }, ], ....

用户池标识提供者

.... AttributeMapping: { 'dev:custom:refresh_token': 'refresh_token', 'dev:custom:access_token': 'access_token', 'dev:custom:id_token': 'id_token', }, ....

© www.soinside.com 2019 - 2024. All rights reserved.