[英]Is this possible to use cognito's Authorization code grant type as a authorizer in the api-gateway?
I would like to know is there any way or possibility to implement authorization code grant type as Authroizer in securing API gateway?我想知道在保护 API 网关时,是否有任何方法或可能性将授权代码授予类型作为授权器实施? As is searched, 'Authorization code' grant type is most recommended for securing API.正如所搜索的,“授权码”授权类型最推荐用于保护 API。 i found below article which explain's using cognito 'client credentials' as grant type to secure the api gateway,我在下面的文章中找到了解释使用 cognito 'client credentials' 作为授权类型来保护 api 网关的文章,
https://medium.com/@awskarthik82/part-1-securing-aws-api-gateway-using-aws-cognito-oauth2-scopes-410e7fb4a4c0 https://medium.com/@awskarthik82/part-1-securing-aws-api-gateway-using-aws-cognito-oauth2-scopes-410e7fb4a4c0
I tried the similar way to create an API gateway, where i have done following integration:我尝试了类似的方法来创建一个 API 网关,我已经完成了以下集成:
Created user pool 'UI Hosted' in cognito with the grant type - 'Authorization code'在 cognito 中创建用户池“UI Hosted”,授权类型为“授权码”
Add the resource server添加资源服务器
Choosed default scopes as i don't want to add any new scope选择默认范围,因为我不想添加任何新的 scope
Associated call back uri关联的回调 uri
Now iam able to access the login page to sign up and sign in and it return the 'Authorization code' in the call back uri现在我可以访问登录页面进行注册和登录,它会在回调 uri 中返回“授权码”
I created an API and integrated some mock response我创建了一个 API 并集成了一些模拟响应
Attached above user pool as Authorizer in the api gateway and deployed在 api 网关中作为授权方附加上述用户池并部署
Now when i invoke the api without passing token, it returns 'Unauthorized'现在,当我在不传递令牌的情况下调用 api 时,它返回“未经授权”
So i used below approach to extract the access token from cognito所以我使用下面的方法从 cognito 中提取访问令牌
How programtically exchange the authorization code to get the access token from cognito using python 如何使用 python 以编程方式交换授权代码以从 cognito 获取访问令牌
And passed the token in the api header using post man, but still i am getting 'Unauthorized' response并使用邮递员在 api header 中传递了令牌,但我仍然收到“未经授权”的响应
So would like to know what needs to be done in api gateway in order to verify the token or what went wrong in this approach..?所以想知道在 api 网关中需要做什么才能验证令牌或这种方法出了什么问题..?
Appreciate if anybody can help on this?感谢是否有人可以提供帮助?
Thanks谢谢
Your API's role is to just deal with incoming access tokens from API clients.您的 API 的作用只是处理来自 API 客户端的传入访问令牌。 The API doesn't care what flow was used to get the token. API 不关心用于获取令牌的流。 Here is by far the most common behaviour:这是迄今为止最常见的行为:
Here is some sample code in case it helps:以下是一些示例代码,以防有帮助:
AWS API Gateway has built in support for Cognito authorizers as in the screenshot on the left below. AWS API 网关内置了对 Cognito 授权方的支持,如左下角的屏幕截图所示。
For more control over behaviour you can instead create a custom lambda authorizer in code, which returns an AWS policy document, as in the screenshot on the right.为了更好地控制行为,您可以改为在代码中创建自定义 lambda 授权方,该授权方会返回 AWS 策略文档,如右侧的屏幕截图所示。 My blog post and the above source code link has some further details, though it is quite detailed / advanced.我的 博文和上面的源代码链接有一些进一步的细节,虽然它非常详细/高级。
finally i got the answer here..最后我在这里得到了答案..
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/ https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
so i created a simple flask logic here to exchange the auth code to get the 'id_token' from cognito, which further can pass in the api header to get the response.所以我在这里创建了一个简单的 flask 逻辑来交换身份验证代码以从 cognito 获取“id_token”,它可以进一步传入 api Z099FB995346F31C749F6E40EDB0Z 以获取响应。
def getToken(auth_code):
response=''
try:
print("Code is", auth_code)
response = requests.post(url + '/oauth2/token',{'Content-Type':'application/x-www-form-urlencoded', 'grant_type': grant_type, 'client_id': App_client_id, 'code': auth_code, 'redirect_uri': 'http://localhost:5000/login'})
if response.status_code != 200:
return "Not a valid response"
print("Response is", response.json())
token_value = response.json()
print("Token value", token_value['id_token'])
return token_value['id_token']
except TypeError as e:
print("Error is",e)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.