简体繁体 English

我可以将 Cognito 与“客户端凭据”流联合（或其他信任在别处验证的服务器端应用程序的方式吗？）

[英]Can I federate Cognito with "client credentials" flow (or other way to trust a server-side application authenticated elsewhere?)

原文 2022-12-10 13:45:53 7 1 amazon-cognito/ openid-connect/ federation

I have an AWS REST API Gateway with Cognito authentication using the client credentials grant.我有一个 AWS REST API 网关，使用客户端凭据授权进行 Cognito 身份验证。

We have been creating new clients by hand and sharing the ID/secret with people who need to use our API. They send the ID/secret and "grant_type=client_credentials" to Cognito, it gives them a bearer token and they use the API with the token.我们一直在手动创建新客户，并与需要使用我们的 API 的人共享 ID/秘密。他们将 ID/秘密和“grant_type=client_credentials”发送给 Cognito，它为他们提供了不记名令牌，他们将 API 与令牌。 All fine so far.到目前为止一切都很好。 (It is a CLI tool running on a schedule, not accessed by a browser. I specifically need to avoid any sort of "go to the browser to login".) （它是一个按计划运行的 CLI 工具，不能通过浏览器访问。我特别需要避免任何类型的“转到浏览器登录”。）

Now, we have a new "island" of users who have a local OIDC (Azure AD) provider that can issue them a bearer token from a curl to an endpoint.现在，我们有了一个新的用户“孤岛”，他们拥有本地 OIDC (Azure AD) 提供商，可以向他们颁发从 curl 到端点的不记名令牌。

Is there a way to make Cognito accept those tokens??有没有办法让 Cognito 接受这些令牌？

I have tried federating Cognito with a different oidc provider (I don't have AD, but a different provider), getting myself a bearer token from it and sending it to the API GW, and I just get 401'ed.我尝试将 Cognito 与不同的 oidc 提供程序联合（我没有 AD，但有不同的提供程序），从中获取不记名令牌并将其发送到 API GW，然后我得到了 401'ed。 I don't know if there is something I'm doing wrong or if it's not possible.我不知道我是否做错了什么，或者这是不可能的。

(Things I might be doing wrong seems to be a long list, I need to create a client in the other provider and add it's ID/secret/URL to Cognito. that works. I used the same client ID/secret to generate my bearer token, But when I'm in client creds flow in Cognito. I need to set a custom scope, Do I need to add that scope to my initial request to the other provider (The API GW doesn't require a scope. it is just a mock endpoint at the moment in testing), The client_id= in the request is for the client in the other provider. not the Cognito client ID? Should I set it to the Cognito client ID?) （我可能做错的事情似乎很长，我需要在其他提供商中创建一个客户端并将其 ID/秘密/URL 添加到 Cognito。这有效。我使用相同的客户端 ID/秘密来生成我的承载令牌，但是当我在 Cognito 中使用客户端信用流时。我需要设置一个自定义 scope，我是否需要将该 scope 添加到我对其他提供商的初始请求中（API GW 不需要 scope。它是目前在测试中只是一个模拟端点），请求中的 client_id= 是针对其他提供商中的客户端的。不是 Cognito 客户端 ID？我应该将它设置为 Cognito 客户端 ID 吗？）

OR do I need to write a custom authenticator for the API GW to validate the token?或者我是否需要为 API GW 编写自定义身份验证器来验证令牌？ (Decode JWT, Check: issuer is allowed and signature is valid.) （解码JWT，检查：发行人允许，签名有效。）

And not use Cognito at all for these other users.并且根本不为这些其他用户使用 Cognito。

(If it was an HTTP API, I think I can create a JWT authoriser and it does it all for me, but it isn't and there are some features on REST APIs not available on HTTP (like WAF)) （如果它是 HTTP API，我想我可以创建一个 JWT 授权人，它会为我做这一切，但它不是，REST API 上的一些功能在 HTTP 上不可用（如 WAF））

Sorry it's a bit short on details.抱歉，细节有点短。 I could spend days copy/pasting all the configs from ID provider/Cognito but if it fundamentally won't work I wasted my time!我可以花几天时间从 ID 提供商/Cognito 复制/粘贴所有配置，但如果它根本不起作用，那我就是在浪费时间！

(After trying it, I think maybe federation only works for actual users with a browser based login flow, not clients with a CLI flow. I can't find anyone saying client credentials flow does work anyway!) （在尝试之后，我认为联合可能仅适用于具有基于浏览器的登录流程的实际用户，而不适用于具有 CLI 流程的客户端。我找不到任何人说客户端凭据流程无论如何都有效！）

1 个解决方案

Cognito is using the authorization server role. Cognito 正在使用授权服务器角色。 So in all cases, the tokens returned to client applications will be issued by Cognito.因此在所有情况下，返回给客户端应用程序的令牌都将由 Cognito 发行。 These apps will never deal with Azure AD tokens.这些应用永远不会处理 Azure AD 令牌。 Multiple types of client can coexist together:多种类型的客户端可以共存：

CLIENT CREDENTIALS GRANT客户凭证授予

Clients who use this flow might represent B2B connections.使用此流程的客户可能代表 B2B 连接。 The business partner must always get Cognito tokens directly, and no federation is used here.业务合作伙伴必须始终直接获得 Cognito 代币，此处不使用联合。

AUTHORIZATION CODE GRANT授权码授予

Browser clients will use this flow, and you can configure Cognito to implement authentication by making a second OIDC Connect redirect to Azure AD.浏览器客户端将使用此流程，您可以配置 Cognito 以通过将第二个 OIDC Connect 重定向到 Azure AD 来实施身份验证。

My blog post provides a walkthrough on how settings are configured.我的博客文章提供了有关如何配置设置的演练。 Cognito will act as a client of Azure AD and use a scope such as openid profile email . Cognito 将充当 Azure AD 的客户端，并使用 scope，例如openid profile email 。

After a user login, Cognito will receive Azure AD tokens, validate them, then issue its own tokens.用户登录后，Cognito 将收到 Azure 个 AD 令牌，对其进行验证，然后发行自己的令牌。 Nothing will change in the API gateway, which will continue to verify Cognito tokens. API 网关没有任何变化，它将继续验证 Cognito 令牌。