[英]AWS Cognito with google provider, how to handle the response from google?
So I'm using cognito User Pools with Google as an Identity provider. 因此,我将cognito用户池与Google一起用作身份提供者。 I configured everything and I'm sending the data to google, which redirects back to the amazon auth endpoint, which then redirects back to my app with the following parameters in the URL: 我配置了所有内容,然后将数据发送到google,后者重定向回Amazon auth端点,然后使用URL中的以下参数重定向回我的应用程序:
AccessToken
ExpiresIn
IdToken
TokenType
Now, I have no idea how to use these to actually create a Cognito "session" that goes into the javascript api workflow and just becomes automatic (sending, receiving and renewing the token) 现在,我不知道如何使用它们来实际创建一个Cognito“会话”,该会话进入javascript api工作流并变得自动(发送,接收和更新令牌)
How do I achieve this? 我该如何实现?
Using IDToken to Authenticate Your API 使用IDToken验证您的API
After you authenticate, you can cache the IDToken in Browser and use it when the logged in user requests for API Calls from your web or mobile application. 身份验证之后,您可以在浏览器中缓存IDToken,并在登录的用户从您的Web或移动应用程序请求API调用时使用它。 Then you can validate the token at your API endpoints for each request. 然后,您可以在API端点为每个请求验证令牌。
Validating IDToken 验证IDToken
For more information about using the tokens and validating it at API endpoints, refer AWS documentation on Using Tokens with User Pools . 有关使用令牌并在API端点上对其进行验证的更多信息,请参阅有关将令牌与用户池一起使用的AWS文档 。 There is a new library introduced by AWS called aws-amplify which simplify some of the implementations. AWS引入了一个名为aws-amplify的新库,该库简化了一些实现。 If you are using AWS API Gateway for your API, you can use a custom authorizer Lambda function to do the validation. 如果您将AWS API Gateway用于API,则可以使用自定义授权者Lambda函数进行验证。
Storing the IDToken and Security 存储IDToken和安全性
In addition, the IDToken is a stateless token, which means it doesn't have a session in connection with AWS Cognito Once issued. 此外,IDToken是无状态令牌,这意味着它没有与AWS Cognito一旦发布有关的会话。 Which means you cannot revoke it after issuing. 这意味着您不能在发行后将其撤消。 Therefore it's important to keep its expiry short. 因此,重要的是要保持其有效期短。
To allow your authentication API to issue new IDTokens before it gets expired, you might need to store the Refresh Token in your backend and use it to issue new tokens before the IDToken expires to implement a sliding window. 为了允许您的身份验证API在过期之前发布新的IDToken,您可能需要在您的后端存储刷新令牌,并使用它在IDToken过期之前发布新的令牌以实现滑动窗口。
Note: Storing the IDToken in browser, you can decide in using multiple storage options available (Eg; Cookies, LocalStorage). 注意:将IDToken存储在浏览器中,您可以决定使用多个可用的存储选项(例如Cookie,LocalStorage)。 However, I'm not going to comment on the security implications since it is itself a long discussion where there are still opinionated areas. 但是,我不会对安全隐患发表评论,因为它本身是一个漫长的讨论,仍然有很多见解的领域。 The standard approach currently available, is to set up a serverside Cookie and implement CSRF. 当前可用的标准方法是设置服务器端Cookie并实现CSRF。 It will be challenging to implement unless you use the IDToken just to initiate the authentication and use a session instead, for the recurring requests. 除非您将IDToken仅仅用于启动身份验证并使用会话来处理重复出现的请求,否则实现起来将具有挑战性。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.