Cognito用户池用户的其他授权逻辑
[英]Additional authorization logic for Cognito User Pools User
问题描述
If I use AWS Cognito User Pools, isit possible to specify roles of a user then check if this user has a specific role eg. 
如果我使用AWS Cognito用户池,则可以指定用户的角色,然后检查该用户是否具有特定角色,例如。 Admin, Before he/she is able to access a resource eg. 管理员,在他/她能够访问资源之前,例如 API Gateway API网关
1 个解决方案
解决方案1
1 已采纳 2017-08-13 04:50:06
You can use groups in Cognito User Pools and validate in custom Authorizer that the user is in adminGroup: 您可以在Cognito用户池中使用组,并在自定义授权器中验证该用户是否在adminGroup中:
if (payload['cognito:groups'] &&
payload['cognito:groups'][0] === 'adminGroup') {
admin = true;
}
The payload here is what you get from identity token. 这里的有效负载是您从身份令牌获得的。 If there is no cognito:groups, then the user is not in any group. 如果没有cognito:groups,则用户不在任何组中。
Another option is to take advantage of custom attributes in User Pools (the logic for validation in the Authorizer should be similar to the logic above). 另一个选择是利用用户池中的自定义属性(授权程序中用于验证的逻辑应类似于上面的逻辑)。
Other solutions are also possible, but those are external to User Pools (eg keep track of user roles in external DB). 其他解决方案也是可能的,但是它们在用户池外部(例如,跟踪外部数据库中的用户角色)。
Whether it is groups or custom attribute (or other solutions), you would have to validate the user role in the custom authorizer. 无论是组还是自定义属性(或其他解决方案),都必须在自定义授权者中验证用户角色。 This way, the request will arrive to the custom Authorizer before API Gateway endpoint. 这样,请求将在API网关端点之前到达自定义授权者。 If user should be admin, but he is not (not in adminGroup or doesn't have custom attribute 'admin'), you issue deny policy in the authorizer. 如果用户应该是管理员,但不是(不是adminGroup或没有自定义属性“ admin”),则可以在授权者中发出拒绝策略。
Hope this answers your question. 希望这能回答您的问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.