用户身份池使用Amazon Cognito对用户进行身份验证-Java SDK

Question

It doesn't seem through the documentation that there is a clear way to do this. After creating a user pool and then creating a provider in Cognito against the user pool, how do I go about authenticating a username and password?

I found this sample , but it looks like passwords are managed in a separate database instead of in Cognito.

Answer 1

I'm assuming you're using the Mobile SDK for Android and you have everything set up. First, you will want to connect to the user pool:

CognitoUserPool userPool = new CognitoUserPool(
                             context, userPoolId, clientId, clientSecret);

Then, pick the user you want to authenticate:

CognitoUser user = userPool.getUser(userId);

Then, write the authentication handler . Cognito will call into your code when (if) it needs a username and a password, rather than you calling it.

AuthenticationHandler handler = new AuthenticationHandler {
    @Override
    public void onSuccess(CognitoUserSession userSession) {
        // Authentication was successful, the "userSession" will have the current valid tokens
    }

    @Override
    public void getAuthenticationDetails(final AuthenticationContinuation continuation, final String userID) {
        // User authentication details, userId and password are required to continue.
        // Use the "continuation" object to pass the user authentication details

        // After the user authentication details are available, wrap them in an AuthenticationDetails class
        // Along with userId and password, parameters for user pools for Lambda can be passed here
        // The validation parameters "validationParameters" are passed in as a Map<String, String>
        AuthenticationDetails authDetails = new AuthenticationDetails(userId, password, validationParameters);

        // Now allow the authentication to continue
        continuation.setAuthenticationDetails(authDetails);
        continuation.continueTask();
    }

    /* Handle 2FA, challenges, etc as needed */
};

Finally, try to get a new session and give your handler.

user.getSession(handler);

If all goes well, you should now have a session with valid tokens.

This example is based on the developer guide which also has examples for registering new users, signing out, and so on.

Answer 2

If you have a user pool, you should be authenticating against the user pool. See http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html .

For the back-end, you'd use something like this:

Map<String, String> params = new HashMap<>();
params.put("USERNAME", userId);
params.put("SECRET_HASH", calculateSecretHash(userId));
params.put("PASSWORD", rawPassword);

AdminInitiateAuthRequest request = new AdminInitiateAuthRequest()
    .withUserPoolId("YOUR_USER_POOL_ID")
    .withClientId("YOUR_USER_POOL_APP_CLIENT_ID")
    .withAuthFlow(AuthFlowType.ADMIN_NO_SRP_AUTH)
    .withAuthParameters(params);

AWSCognitoIdentityProvider identityProvider = AWSCognitoIdentityProviderClientBuilder.standard()
        .withCredentials(credentialsProvider)
        .withRegion(Regions.US_WEST_2)
        .build();
AdminInitiateAuthResult result = identityProvider.adminInitiateAuth(request);

Helper function:

private String calculateSecretHash(@Nonnull String userName) {

  SecretKeySpec signingKey = new SecretKeySpec(m_clientSecret.getBytes(StandardCharsets.UTF_8), HmacAlgorithms.HMAC_SHA_256.toString());
  try {
    Mac mac = Mac.getInstance(HmacAlgorithms.HMAC_SHA_256.toString());
    mac.init(signingKey);
    mac.update(userName.getBytes(StandardCharsets.UTF_8));
    byte[] rawHmac = mac.doFinal(m_clientId.getBytes(StandardCharsets.UTF_8));
    return Base64.encodeBase64String(rawHmac);

  } catch (Exception ex) {
    throw new PgkbRuntimeException("Error calculating secret hash", ex);
  }
}

You only need the federated identity pool if you plan on aggregating identity across providers. In this case, you would still need to authenticate against the user pool, and use the authenticated user's id against the identity pool.