堆栈内存溢出
  简体   繁体   English

Spring Secutity 5 作为 AWS Cognito 用户池的 OIDC 身份提供商

[英]Spring Secutity 5 as an OIDC Identity Provider for AWS Cognito User Pool

 原文  2022-01-20 00:44:01       spring-security/ oauth-2.0/ amazon-cognito/ openid-connect/ aws-userpools

问题描述

I have an Authorization Server with Spring Security 5. It supports Authorization Code, Authorization Code with PKCE, Implicit Grant and Client Credentials flows from the OAuth 2.0 authentication framework for it's clients.我有一个具有 Spring 安全性 5 的授权服务器。它支持来自 OAuth 2.0 身份验证框架的授权代码、PKCE 授权代码、隐式授予和客户端凭据流。 This Spring Security 5 Auth Server is also connected with a database with users information and it's passwords hashing.此 Spring 安全 5 身份验证服务器还与包含用户信息及其密码哈希的数据库连接。 Currently the Auth user validates users credentials from the login page using the users tables from the database.目前,Auth 用户使用数据库中的用户表从登录页面验证用户凭据。

Right now I need to setup an AWS Cognito User Pool and use the same users already stored in the database.现在我需要设置一个 AWS Cognito 用户池并使用已经存储在数据库中的相同用户。 My intention is to use the Spring Security Auth Server as an OIDC Identity Provider for my user pool in AWS Cognito.我的意图是使用 Spring 安全身份验证服务器作为我在 AWS Cognito 中的用户池的 OIDC 身份提供程序。

Is this possible?这可能吗?

1 个解决方案

解决方案1
 0  2022-01-20 14:40:35

AWS Cognito can act as an Authorization Server, meaning your apps will get AWS tokens. AWS Cognito 可以充当授权服务器,这意味着您的应用程序将获得 AWS 令牌。 In this case you add Spring as an OpenID Connect IDP, similar to my blog post which used Okta as an IDP.在这种情况下,您将 Spring 添加为 OpenID Connect IDP,类似于我使用 Okta 作为 IDP 的博客文章 This could be quite an impactful change though, since you may not be able to make Cognito access tokens contain any custom values.不过,这可能是一个非常有影响力的更改,因为您可能无法让 Cognito 访问令牌包含任何自定义值。

Alternatively you can do it the other way round, in which case your apps will receive Spring issued tokens.或者,您可以反过来执行此操作,在这种情况下,您的应用程序将收到 Spring 颁发的令牌。 I would expect the integration to basically work, whichever way round you do it, though you could experience some annoyances.我希望集成基本上可以工作,无论您采用哪种方式,尽管您可能会遇到一些烦恼。

An important factor is how your APIs / back end will identify users from access tokens after this change, since Cognito and Spring will use different subject claims in access tokens.一个重要的因素是您的 API / 后端将如何在此更改后从访问令牌中识别用户,因为 Cognito 和 Spring 将在访问令牌中使用不同的主题声明。 In case relevant, this detailed Curity article discusses migrations and user IDs.如果相关, 这篇详细的 Curity 文章讨论了迁移和用户 ID。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 春季安全性和多部分 - Spring secutity and Multipart 使用AWS IAM或Cognito进行Spring安全性 - Spring Security with AWS IAM or Cognito Spring Security 如何将未经身份验证的用户重定向到外部登录页面 (AWS Cognito)? - How does Spring Security redirect a user who is unauthenticated to an external login page (AWS Cognito)? 春季安全性:自定义userdetailService不可见没有定义名为“ myUserDetailsS​​ervice”的bean - Spring secutity:custom userdetailService not visible No bean named 'myUserDetailsService' is defined Spring oauth2login oidc 根据用户信息授予访问权限 - Spring oauth2login oidc grant access based on user info Spring SAML对身份提供者进行直接SOAP调用 - Spring SAML to make a direct SOAP call to the Identity Provider 需要将现有的Spring应用程序作为SAML WebSSO Identity Provider - Need to make exsiting spring application as SAML WebSSO Identity Provider 使用 Spring Security 的 SAML 2.0 在本地选择身份提供者 - Select Identity Provider Locally with Spring Security's SAML 2.0 如何通过Java API使用AWS Cognito对用户进行身份验证 - How to authenticate user using AWS Cognito via Java API Spring MVC应用程序中匿名用户的身份 - Identity for anonymous user in Spring MVC application
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM