如何在AWS Lambda中验证Cognito访问令牌以允许网关API调用?
[英]How to get validate Cognito Access Token in AWS Lambda to allow Gateway API call?
问题描述
What I am trying to do is to set up API Gateway to my Lambda function that saves some in DynamoDB (or other stuff that I want to be only for logged in users). 
我想做的是将API网关设置为我的Lambda函数,以将其中的一些内容保存在DynamoDB中(或其他我想仅用于已登录用户的内容)。 But I do not understand how to validate AccessToken and how to get user from that. 但是我不明白如何验证AccessToken以及如何从中获取用户。
I found this post on AWS forum and I decided to try approach 1. 我在AWS论坛上找到了这篇文章 ,我决定尝试方法1。
Cognito User Pools + API Gateway + API Gateway Custom Authorizer + Cognito User Pools Access Token. Cognito用户池+ API网关+ API网关自定义授权者+ Cognito用户池访问令牌。
So now I have logged in user : 因此,现在我已登录用户:
var authenticationData = {
Username : 'username', // your username here
Password : 'password', // your password here
};
var authenticationDetails = new AWSCognito.CognitoIdentityServiceProvider.AuthenticationDetails(authenticationData);
var cognitoUser = new AWSCognito.CognitoIdentityServiceProvider.CognitoUser(userData);
cognitoUser.authenticateUser(authenticationDetails, {
onSuccess: function (result) {
console.log('access token + ' + result.getAccessToken().getJwtToken());
....
and his accessToken. 和他的accessToken。 I also set up custom API Gateway Custom Authorizer in my API call. 我还在API调用中设置了自定义API网关自定义授权器。
Now I should validate the access token and decide whether to allow or deny method call. 现在,我应该验证访问令牌并决定是允许还是拒绝方法调用。 But I do not understand how to do that and how to retrieve user from the token? 但是我不知道该怎么做以及如何从令牌中检索用户?
3 个解决方案
解决方案1
5 已采纳 2016-06-23 17:50:39
解决方案2
4 2016-09-09 08:30:10
You do not need API Gateway Custom Authorizer ... just to authenticate a API end point - Goto its Method Request and select AWS_IAM for Authorization dropdown .. where NONE is by default selected ... 您不需要API网关自定义授权器...只需对API端点进行身份验证-转到其“方法请求”并选择“ AWS_IAM for Authorization”(授权列表)下拉菜单。
when the access token is send to this end point - it will AUTOMATICALLY check the access token Role (after communicating with cognito service) and check the policies attached with the Role. 当将访问令牌发送到此端点时,它将自动检查访问令牌角色(与认知服务通信之后),并检查与该角色关联的策略。
if the IAM policy allows to invoke this end point - AWS API will execute it further else it will throw you back with 403 Error or Some Error 如果IAM策略允许调用此端点-AWS API将进一步执行该端点,否则将使您返回403错误或某些错误
YOU DO NOT NEED TO WRITE ANY CODE - UNLESS you have some totally different auth logic to be applied - which can be achieved via "API Gateway Custom Authorizer" 您无需编写任何代码-除非您要应用一些完全不同的身份验证逻辑-可以通过“ API网关自定义授权者”来实现
解决方案3
0 2018-02-17 06:42:46
For Cognito User Pools + API Gateway + API Gateway Custom Authorizer + Cognito User Pools Access Token 对于Cognito用户池+ API网关+ API网关自定义授权者+ Cognito用户池访问令牌
You should create Cognito Authorizer (Available as a option when you create a custom authorizer) and link your User pool & Identity Pool, Then the client needs to send idToken (generated using User pool SDK) to access endpoint. 您应该创建Cognito授权者(创建自定义授权者时可以选择)并链接您的用户池和身份池,然后客户端需要发送idToken(使用用户池SDK生成)来访问端点。 This idToken will get Validated by the Cognito Identity Pool via Coginito Authorizer (Used in Authorization Method dropdown). Cognito身份池将通过Coginito Authorizer(在授权方法下拉列表中使用)验证此idToken。
idToken getting generated by SDK can be done using another lambda+endpoint like login endpoint or it can be generated using cognito mobile sdk's as well. SDK生成的idToken可以使用另一个lambda +端点(例如登录端点)来完成,也可以使用cognito移动sdk来生成。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.