stackoom
  简体   繁体   中英

Cognito OAuth2 access code handling with a desktop app

 原文  2020-08-29 13:36:45       oauth-2.0/ amazon-cognito

Question

I have a command-line app that I want to authenticate against AWS Cognito using OAuth2 with access code flow and hosted login UI. For the similar case, Google Cloud docs explicitly recommend using http://localhost:N redirect URI, so that the application can handle the access code after authentication:

This authorization flow is similar to the one used for web server applications. The main difference is that installed apps must open the system browser and supply a local redirect URI to handle responses from Google's authorization server.

However, with Cognito localhost URIs are only allowed/recommended for testing purposes:

Cognito 应用回调

One alternative solution would be using an "out-of-browser" URI urn:ietf:wg:oauth:2.0:oob to display the access code in the browser and make the user copy-paste it to the app, but Cognito doesn't seem to support it.

Currently I am leaning towards running a custom OAuth2 callback handler that would only tell the user to copy-paste the access code, but I don't find it really friendly from the Cognito side.

So, the question:

  1. What's the recommended way to authenticate desktop / command-line apps with Cognito with minimal user interference?
  2. What can go wrong if I ignore the Cognito's recommendation about the localhost redirect URI?

1 answers

solution1
 6 ACCPTED  2020-08-30 12:44:17

LOOPBACK URI

In a desktop app you can use localhost HTTP URLs to receive the authorization response, and that is one valid technique.

The Cognito warning is about using localhost URLs for web app responses, which of course is only suitable for a developer PC. You can ignore the warning when using loopback desktop apps.

OUT OF BROWSER URI

This was used a few years ago to read an authorization response from a web view and is no longer recommended in OAuth for Native Apps .

PRIVATE URI SCHEME

The second valid rechnique is the option I prefer, since it feels more integrated. It involves receiving the authorization response via a URL of the following form, and registering the scheme with the OS to point to your app:

  • com.mycompany.mydesktopapp:/callback

RESOURCES OF MINE

If it helps, I have a couple of desktop samples / blog posts that use Cognito. You can run the samples on your PC, to see which you prefer:

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Cognito OAuth2 access the STATE or SCOPE parameter by some Lambda Trigger Gmail API OAUTH2 verify Desktop application How to configure Spring Boot to authenticate Web-app users and REST clients using AWS Cognito (OAuth2/OIDC) 405 method not allowed error in AWS Cognito oauth2/token endpoint Azure AD returns non JWT Tokens when exchanging the OAuth2 code for an access token Is OAuth2 Authorization Code flow an authentication protocol? Firebase Cloud messaging : app/invalid-credential - failed to fetch a valid Google OAuth2 access token How to create OAuth2 Opaque(Reference) Access Tokens get google Oauth2 access token using ONLY curl How generate Oauth2 OIDC Authorization code in .net c#
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM