AWS - 使用nodejs的Cognito Identity - 如何处理令牌
[英]AWS - Cognito Identity with nodejs - What to do with tokens
问题描述
So I'm trying to use Cognito Identity in my nodejs API. 
所以我试图在我的nodejs API中使用Cognito Identity。 My goal in using Cognity Identity is to be able to give users a secure way to create a user account and log in. I'd like to use my API to make aws cognito calls to verify users by identifying them with their email address. 我使用Cognity Identity的目的是能够为用户提供一种安全的方式来创建用户帐户并登录。我想使用我的API通过识别用户的电子邮件地址来验证用户身份。 My API will then give users access based on who they are, which is based on their email. 然后,我的API将根据用户的电子邮件向用户提供访问权限。
I was able to create a user, verify the user's email, and log in to get an AccessToken, IDToken, and RefreshToken. 我能够创建用户,验证用户的电子邮件,并登录以获取AccessToken,IDToken和RefreshToken。 That's great, but at this point I'm not entirely sure what to do with these tokens. 这很好,但在这一点上,我不完全确定如何处理这些令牌。 I'd imagine I can somehow use them to verify a user every time they make a call to my API, but I'm uncertain how to do that. 我想我可以以某种方式使用它们来验证用户每次调用我的API,但我不确定如何做到这一点。
I'm imagining authentication flow going something like this: 我想象认证流程是这样的:
User logs in with their password -> My API makes a call to aws to get tokens -> My API passes those tokens back to the user's mobile device -> Their mobile device stores these tokens -> AccessToken is used to verify all API calls until it expires -> RefreshToken is used to get a new set of tokens if AccessToken expires -> If RefreshToken is expired user must log in with username/password again. 用户使用他们的密码登录 - >我的API调用aws来获取令牌 - >我的API将这些令牌传递回用户的移动设备 - >他们的移动设备存储这些令牌 - > AccessToken用于验证所有API调用,直到它到期 - >如果AccessToken过期,RefreshToken用于获取一组新标记 - >如果RefreshToken过期,用户必须再次使用用户名/密码登录。
Is that incorrect or an improper way of doing this? 这是不正确的还是不正确的做法? If I have the right idea, then how do I use the tokens to accomplish this? 如果我有正确的想法,那么我如何使用令牌来实现这一目标? I wasn't able to find any documentation on the authentication process once a user gets their tokens. 一旦用户获得其令牌,我就无法找到有关身份验证过程的任何文档。 The only thing I can find that seems it might be able to accomplish this is here: http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#initiateAuth-property 我能找到的唯一可以实现此目的的是: http : //docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CognitoIdentityServiceProvider.html#initiateAuth-property
2 个解决方案
解决方案1
0 2017-04-05 21:43:37
Your next step depends on what service you use and how you use it. 您的下一步取决于您使用的服务以及使用方式。
For example, for an API-driven application with Lambda / API Gateway, you'd use Amazon Cognito User Pools for your API resource methods and send the ID token as an Authorization header with your API call. 例如,对于使用Lambda / API Gateway的API驱动的应用程序,您将使用Amazon Cognito用户池作为API资源方法,并将ID令牌作为API调用的Authorization标头发送。 (Yes, the name is misleading. It should be Authentication since the authorization logic is actually implemented in your Lambda function) (是的,该名称具有误导性。它应该是身份验证,因为授权逻辑实际上是在您的Lambda函数中实现的)
Then, your Lambda function can access the identity claim properties from the user pool using the context object (when you enable Lambda proxy integration ) as: 然后,您的Lambda函数可以使用context对象(当您启用Lambda代理集成时 )从用户池访问身份声明属性,如下所示:
const email = context.authorizer.claims.email;
or 要么
const cognitoGroups = context.authorizer.claims['cognito:groups'];
If you haven't enabled Lambda proxy integration , you should make sure to pass those values in your body-mapping template. 如果尚未启用Lambda代理集成 ,则应确保在正文映射模板中传递这些值。
解决方案2
0 2017-04-06 00:45:03
There is a good reference github application that demonstrates various aspects of cognito and how integrates with lambda, API Gateway, DynamoDB and other AWS services. 有一个很好的参考github应用程序,它演示了cognito的各个方面以及如何与lambda,API Gateway,DynamoDB和其他AWS服务集成。
Here's a link: https://github.com/awslabs/aws-serverless-auth-reference-app 这是一个链接: https : //github.com/awslabs/aws-serverless-auth-reference-app
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.