[英]Google Authentication fails with AWS Cognito Identity Pool on Android
I get an NotAuthorizedException:Token is not from a supported provider of this identity pool
when I call Amazon.CognitoIdentity.AmazonCognitoIdentityClient.GetIdAsync()
当我调用
Amazon.CognitoIdentity.AmazonCognitoIdentityClient.GetIdAsync()
时,我得到NotAuthorizedException:Token is not from a supported provider of this identity pool
I do not understand why, the token was obtained by authenticating with GoogleSignInApi
, and the AWS Identity Pool is configured to federate to the Google authentication provider with the same "Google WebApp Client ID" used to authenticate on the Android device. 我不明白为什么,令牌是通过使用
GoogleSignInApi
进行身份验证而获得的,并且AWS Identity Pool配置为使用与在Android设备上进行身份验证的相同“ Google WebApp客户端ID”联合到Google身份验证提供程序。
Also I've tried to obtain the Google token using 2 different ways 我也尝试使用两种不同的方法来获取Google令牌
.RequestIdToken()
on the GoogleSignInOptions
.RequestIdToken()
上的GoogleSignInOptions
.RequestIdToken()
结果 GoogleAuthUtil.GetToken
API GoogleAuthUtil.GetToken
API Both tokens are different when inspected, both look like good tokens, and both fail with the same error when given to AmazonCognitoIdentityClient
. 在检查时,这两个令牌是不同的,它们看起来都像是好的令牌,并且在给
AmazonCognitoIdentityClient
时都失败,并出现相同的错误。 Clearly the user is authenticated on the Android device, the app is able to get the Email, DisplayName etc... 显然,用户已在Android设备上通过身份验证,该应用程序能够获取电子邮件,DisplayName等。
var googleSignInOptions = new
GoogleSignInOptions.Builder(GoogleSignInOptions.DefaultSignIn)
.RequestIdToken("Google WebApp Client ID")
.RequestEmail()
.Build();
mGoogleApiClient = new GoogleApiClient.Builder(this)
.EnableAutoManage(
this, // FragmentActivity
this) // OnConnectionFailedListener
.AddApi(Auth.GOOGLE_SIGN_IN_API, gso)
.Build();
mGoogleApiClient.Connect();
var result = await Auth.GoogleSignInApi.SilentSignIn(mGoogleApiClient);
// Only need one or the other, trying to figure out which
var idToken = result.SignInAccount.IdToken;
var authToken = await GetGoogleAuthTokenAsync(result.SignInAccount.Email);
var shortLivedAWScredentials = new CognitoAWSCredentials("identity-pool-id", AWSConfigs.RegionEndpoint);
var cognitoClient = new AmazonCognitoIdentityClient(shortLivedAWScredentials,AWSConfigs.RegionEndpoint);
var logins = new Dictionary<string, string>();
logins["accounts.google.com"] = idToken; // same failure if I use authToken
var request = new GetIdRequest();
request.IdentityPoolId = "identity-pool-id";
request.Logins = logins;
var result = await cognitoClient.GetIdAsync(request); // THIS THROWS Amazon.CognitoIdentity.Model.NotAuthorizedException
private async Task<string> GetGoogleAuthTokenAsync(string accountEmail)
{
Account googleAccount = new Account(accountEmail, GoogleAuthUtil.GoogleAccountType);
string scopes = "audience:server:client_id:" + "Google WebApp Client ID"
var token = await Task.Run(() => { return GoogleAuthUtil.GetToken(this, googleAccount, scopes); });
return token;
}
Notes - Right after the exception, the AWS Console shows the Cognito identity pool grows by 1 unauthenticated identity, no change to the number of google identities 注意 -发生异常后,AWS控制台立即显示Cognito身份池增加了1个未经身份验证的身份,而Google身份的数量没有变化
Hours of searching and I finally found a solution. 经过数小时的搜索,我终于找到了解决方案。 Basically AWS Cognito Identity Pool Federation to Google+ is completely broken , but do not despair.
基本上, 到Google+的 AWS Cognito身份池联盟已完全损坏 ,但不要绝望。 What you need to do is Federate to an OpenID provider instead .
您需要做的是与OpenID提供程序联合 。
First, go to AWS console > IAM > Identity Providers > Create Provider > Provider Type = OpenID Connect > Provider URL = https://accounts.google.com > Audience = "the Google Client ID for Android or iOS you created in the Google Developer Console" 首先,转到AWS控制台> IAM>身份提供程序>创建提供程序>提供程序类型= OpenID Connect>提供程序URL = https://accounts.google.com > Audience =“您在Google中创建的Android或iOS的Google客户端ID开发者控制台”
Be careful, do not use the "Google Web App Client ID" for the Audience. 请注意,请勿为受众群体使用“ Google Web App客户端ID”。
Second, go to AWS Console > Cognito > Federated Identity Pools. 其次,转到AWS Console> Cognito>联合身份池。 Select your Identity Pool, then click "Edit Identity Pool", then navigate to the OpenID tab (not the Google+ tab, don't even use that one it doesn't work).
选择您的身份池,然后单击“编辑身份池”,然后导航到OpenID标签(不是Google+标签,甚至不要使用那是行不通的)。 You should now see a checkbox titled "accounts.google.com", check it.
现在,您应该看到一个标题为“ accounts.google.com”的复选框,选中它。
Third, go edit your mobile app source code, and make sure you use the "Google WebApp Client ID" you generated in the Google Developer Console when you build the scopes string used to call GoogleAuthUtil.GetTokenGoogleAuthUtil.GetToken(this, googleAccount, scopes)
. 第三,去编辑您的移动应用程序源代码,并确保您在构建用于调用
GoogleAuthUtil.GetTokenGoogleAuthUtil.GetToken(this, googleAccount, scopes)
的范围字符串时使用在Google Developer Console中生成的“ Google WebApp Client ID”。 。 That is scopes = "audience:server:client_id:" + "webClientId"
那是
scopes = "audience:server:client_id:" + "webClientId"
Now your call to var result = await cognitoClient.GetIdAsync(request);
现在,您对
var result = await cognitoClient.GetIdAsync(request);
的调用var result = await cognitoClient.GetIdAsync(request);
should succeed. 应该成功。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.