将 api 网关与 aws cognito 一起用于受保护的路由
[英]using api gateway with aws cognito for protected routes
问题描述
So I'm going to put a public facing API up using AWS API Gateway, where I'll have back end lambda resources that handle the logic for each route (decoupled microservice).
因此,我将使用 AWS API 网关建立一个面向公众的 API,在那里我将拥有后端 lambda 资源来处理每条路线的逻辑(分离的微服务)。
What should I be storing in the JWT?我应该在 JWT 中存储什么? Currently, I've disabled all read attributes, so the token only contains cognito:username , where in my database I will store this as the user id for each user.目前,我已禁用所有读取属性,因此令牌仅包含cognito:username ,在我的数据库中,我会将其存储为每个用户的用户 ID。 My understanding is that once a JWT is properly generated, I can use Cognito as an authorizer with API Gateway, and then once the token JWT details are received at the lambda layer, all I need to do is use the cognito:username key to lookup the user profile in my database.我的理解是,一旦正确生成了 JWT,我就可以使用 Cognito 作为 API 网关的授权方,然后一旦在 lambda 层收到令牌 JWT 详细信息,我需要做的就是使用cognito:username键进行查找我数据库中的用户配置文件。
Should I be implementing any other checks in the backend, or is it safe to rely on API gateway to pass the authenticated request?我应该在后端实施任何其他检查,还是依靠 API 网关来传递经过身份验证的请求是否安全?
Thanks!谢谢!
1 个解决方案
解决方案1
1 2022-02-21 15:21:06
The cognito API Gateway authorizer will only check if the token has not expired and if it belongs to the correct user pool. cognito API 网关授权方将仅检查令牌是否未过期以及它是否属于正确的用户池。 But since you will be extracting username from the token itself, you should be safe.但是由于您将从令牌本身中提取用户名,所以您应该是安全的。 Just make sure to configure API Gateway to pass Authorization header to the lambda, it does not do this by default.只需确保配置 API 网关以将授权 header 传递给 lambda,默认情况下不会这样做。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.