[英]Spring Secutity 5 as an OIDC Identity Provider for AWS Cognito User Pool
I have an Authorization Server with Spring Security 5. It supports Authorization Code, Authorization Code with PKCE, Implicit Grant and Client Credentials flows from the OAuth 2.0 authentication framework for it's clients.我有一个具有 Spring 安全性 5 的授权服务器。它支持来自 OAuth 2.0 身份验证框架的授权代码、PKCE 授权代码、隐式授予和客户端凭据流。 This Spring Security 5 Auth Server is also connected with a database with users information and it's passwords hashing.
此 Spring 安全 5 身份验证服务器还与包含用户信息及其密码哈希的数据库连接。 Currently the Auth user validates users credentials from the login page using the users tables from the database.
目前,Auth 用户使用数据库中的用户表从登录页面验证用户凭据。
Right now I need to setup an AWS Cognito User Pool and use the same users already stored in the database.现在我需要设置一个 AWS Cognito 用户池并使用已经存储在数据库中的相同用户。 My intention is to use the Spring Security Auth Server as an OIDC Identity Provider for my user pool in AWS Cognito.
我的意图是使用 Spring 安全身份验证服务器作为我在 AWS Cognito 中的用户池的 OIDC 身份提供程序。
Is this possible?这可能吗?
AWS Cognito can act as an Authorization Server, meaning your apps will get AWS tokens. AWS Cognito 可以充当授权服务器,这意味着您的应用程序将获得 AWS 令牌。 In this case you add Spring as an OpenID Connect IDP, similar to my blog post which used Okta as an IDP.
在这种情况下,您将 Spring 添加为 OpenID Connect IDP,类似于我使用 Okta 作为 IDP 的博客文章。 This could be quite an impactful change though, since you may not be able to make Cognito access tokens contain any custom values.
不过,这可能是一个非常有影响力的更改,因为您可能无法让 Cognito 访问令牌包含任何自定义值。
Alternatively you can do it the other way round, in which case your apps will receive Spring issued tokens.或者,您可以反过来执行此操作,在这种情况下,您的应用程序将收到 Spring 颁发的令牌。 I would expect the integration to basically work, whichever way round you do it, though you could experience some annoyances.
我希望集成基本上可以工作,无论您采用哪种方式,尽管您可能会遇到一些烦恼。
An important factor is how your APIs / back end will identify users from access tokens after this change, since Cognito and Spring will use different subject claims in access tokens.一个重要的因素是您的 API / 后端将如何在此更改后从访问令牌中识别用户,因为 Cognito 和 Spring 将在访问令牌中使用不同的主题声明。 In case relevant, this detailed Curity article discusses migrations and user IDs.
如果相关, 这篇详细的 Curity 文章讨论了迁移和用户 ID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.