我正在将Cognito App Client与外部提供商集成(Twitch)用户身份验证工作正常,但是由于Cognito使用了来自身份验证服务器的代码,因此我不确定应如何发送带有令牌的Twitch请求,而我通常会从twitch中获得令牌,而Cognito不会使用此代码。我只有Cognito代码,可以在https:// {my-domain} / oauth2 / token请求中使用该代码来交换Cognito令牌。请求返回id_token,access_token和refresh_token,这些解码后的样子ID令牌
{
"at_hash": "yTNkeTAqzqcXCYi3yLL2Pw",
"sub": "3cfba641-4058-475f-9818-17291175fd31",
"cognito:groups": [
"us-east-1_xxxxxxxxxxxx"
],
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
"cognito:username": "xxxxxxxxxxxx",
"preferred_username": "xxxxxxxxxxxx",
"nonce": "SxxlipCDVbXbcXa1H7Uf9_nM0uOurAAObUVCyreBDDux99QoAngUoiGdE0me-0Zon6fEVLLTSqD4EN1Y6_lFm48MaoBaxyywZCQKOT70gfQEfkuhlsjImJd1ko3qH3QKdlmvWSPCUZoACPYNSgR364VPELyQTVMkRTCt9eYROag",
"aud": "35l1cn53cnj9sv1ndu8u01amk0",
"identities": [
{
"userId": "xxxxxxxxxxxx",
"providerName": "xxxxxxxxxxxx",
"providerType": "OIDC",
"issuer": null,
"primary": "true",
"dateCreated": "1588191000072"
}
],
"token_use": "id",
"auth_time": 1588191003,
"exp": 1588194603,
"iat": 1588191003
}
访问令牌
{
"sub": "3cfba641-4058-475f-9818-17291175fd31",
"cognito:groups": [
"us-east-1_xxxxxxxxxxxx"
],
"token_use": "access",
"scope": "aws.cognito.signin.user.admin phone openid profile email",
"auth_time": 1588191003,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
"exp": 1588194603,
"iat": 1588191003,
"version": 2,
"jti": "55863213-c764-4b07-a386-a9c93d14e4b2",
"client_id": "xxxxxxxxxxxx",
"username": "xxxxxxxxxxxx"
}
如何获取用户令牌以调用Twitch API(例如,具有授权用户令牌的GET https://api.twitch.tv/helix/users端点)
DeveloperOnlyAttribute: true
将其隐藏。我不确定如何从控制台执行此操作解决方案是在用户池中创建自定义属性,然后为身份提供者映射这些属性。看起来像:
refresh_token: 'custom:refresh_token'
id_token: 'custom:id_token'
access_token: 'access:refresh_token'
用于此的Cloudformation模板:用户池
.... Schema: [ { AttributeDataType: 'String', DeveloperOnlyAttribute: true, Mutable: true, Name: 'refresh_token', Required: false, }, { AttributeDataType: 'String', DeveloperOnlyAttribute: true, Mutable: true, Name: 'access_token', Required: false, }, { AttributeDataType: 'String', DeveloperOnlyAttribute: true, Mutable: true, Name: 'id_token', Required: false, }, ], ....
用户池标识提供者
.... AttributeMapping: { 'dev:custom:refresh_token': 'refresh_token', 'dev:custom:access_token': 'access_token', 'dev:custom:id_token': 'id_token', }, ....