如何仅授予其Cognito子用户和具有完整AWS特权的安全服务器来认证Cognito用户(安全的后端服务器到服务器身份验证)
[英]How to authenticate a cognito user given only their cognito sub and a secure server with full AWS privileges (secure backend server-to-server auth)
问题描述
TL;DR : I want to make an cognito-authenticated request to my own backend API from another server. 
TL; DR:我想从另一台服务器向我自己的后端API发出经过身份验证的请求。
I have a node.js backend API (configured by claudia-js and deployed as AWS lambda, interfaced by AWS API gateway and secured with Cognito) 我有一个node.js后端API(由claudia-js配置并部署为AWS lambda,由AWS API网关进行接口并由Cognito保护)
My React frontend can make requests to my backend no problem; 我的React前端可以毫无问题地向后端发出请求; I just use react Amplify to log the user in in the usual flow, get a token, then make HTTPS requests to API gateway. 我只是使用react Amplify以通常的流程登录用户,获取令牌,然后向API网关发出HTTPS请求。
I have another server (AWS elasticbeanstalk, basic username-password auth) which hosts a microservice, connected to a scheduling system (agenda-js) that users can access via the backend API. 我还有另一台服务器(AWS elasticbeanstalk,基本的用户名-密码auth),该服务器托管微服务,该微服务连接到用户可以通过后端API访问的调度系统(议程js)。 The problem: We need to be able to communicate the other way. 问题:我们需要能够以其他方式进行交流。
Jobs are saved to db with the userID (we just use the cognito sub as our userID, it makes things consistent). 作业使用userID保存到db(我们只使用cognito子作为我们的userID,这使事情保持一致)。 One job requires contacting the backend API on behalf of our user, on a schedule (once a month, lets say). 一项工作需要按时间表(代表一个月一次)代表我们的用户联系后端API。 This requires authenticating as the cognito user, given only the cognito userID, get the token and programatically make the REST/HTTP request to the backend API. 这要求仅给定cognito用户ID身份认证为cognito用户,获取令牌并以编程方式向后端API发出REST / HTTP请求。
Done: 完成:
Added the job processor server as an app client to my cognito user pool
将作业处理器服务器作为应用程序客户端添加到我的Cognito用户池中 Written the job processor that can authenticate against the cognito user pool using my own creds (hardcoded username/pwd)
编写了可以使用我自己的凭据(硬编码的用户名/密码)对认知用户池进行身份验证的作业处理器 Written the secure http request to the backend api using the token from the above step
使用上述步骤中的令牌将安全的http请求写入后端api
Job processor code: 作业处理器代码:
// auth and cognito params
const params = {
AuthFlow: 'ADMIN_NO_SRP_AUTH',
ClientId: 'xxxxxxxxxxxxxxxxxxxxxxx',
UserPoolId: 'XX-XXXX-X_XXXXXXXXX',
AuthParameters: {
USERNAME: 'my-username',
PASSWORD: 'my-pwd',
},
};
cognitoidentityserviceprovider.adminInitiateAuth(params, (err, data) => {
if (err) console.log(err);
const token = data.AuthenticationResult.IdToken;
// HTTP opts to call my backend api
const options = {
method: 'GET',
url: 'https://my.api.url/tasks/action',
headers: {
Authorization: `Bearer ${token}`,
},
json: true,
};
// Call my backend api
rp(options, (error, response, body) => {
if (error) throw new Error(error);
console.log(body);
});
});
The above code works perfectly, I am able to call my own API as user (myself, in this case), but I would like to be able to call the API with this script as any user, by providing the cognito auth API with the cognito userID, and an AWS secret key, IAM role or whatever is needed in a .env var or whatever. 上面的代码完美的作品,我能叫我自己的API为用户(我自己,在这种情况下),但我想能够调用这个脚本任何用户的API,通过提供cognito AUTH API与cognito用户ID,以及AWS密钥,IAM角色或.env var中所需的任何内容。 I just don't know how to achieve this! 我只是不知道该如何实现! TIA TIA
1 个解决方案
解决方案1
0 2019-06-14 13:17:29
For anyone reading: I gave up on this approach and instead authorised the client server using IAM auth and the api gateway sdk client. 对于任何阅读的人:我放弃了这种方法,而是使用IAM auth和api网关sdk客户端授权了客户端服务器。 The user information (non sensitive) is sent in the http body 用户信息(不敏感)在http正文中发送
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.