[英]AWS: How to properly authenticate a user against Cognito Pool and use it for Cognito Federated Identity?
我正在開發一個使用兩個身份驗證提供程序的應用程序:
對於前者,我沒有問題,一切都按預期進行。 但是,在使用Cognito用戶池設置身份驗證時,我遇到了另一堵牆。 我正在使用AWS開發工具包2.4.9,XCode 8和Swift 3。
我知道已經提出了很多問題,並且有很多“指南”。 但是,其中許多都是針對過時的文檔和SDK的。 即使是正式的AWS文檔也已過時。
我正在經歷的身份驗證步驟如下:
1.配置初始認知池
/// Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: nil)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration
/// Create a pool configuration and register it for a specific key to use later
let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: appClientID, clientSecret: appClientSecret, poolId: poolID)
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPool(with: poolConfiguration, forKey: poolKey)
/// Create a pool for a specific predefined key
pool = AWSCognitoIdentityUserPool(forKey: poolKey)
2.根據Cognito用戶池對用戶進行身份驗證
user.getSession(username, password: password, validationData: nil).continue({ (task) -> AnyObject? in
if let error = task.error as? NSError {
completionHandler(error)
return nil
}
let session = task.result! as AWSCognitoIdentityUserSession
let token = session.idToken!.tokenString
let tokens : [NSString:NSString] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolID!)" as NSString : token as NSString]
let identityProvider = CognitoPoolIdentityProvider(tokens: tokens)
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .usEast1, identityPoolId: self.identityPoolID, identityProviderManager: identityProvider)
/// Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: credentialsProvider)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration
credentialsProvider.getIdentityId().continue({ (task) -> AnyObject? in
completionHandler(task.error as NSError?)
return nil
})
return nil
})
3. CognitoPoolIdentityProvider類
class CognitoPoolIdentityProvider : NSObject, AWSIdentityProviderManager {
var tokens : NSDictionary = [:]
init(tokens: [NSString : NSString]) {
self.tokens = tokens as NSDictionary
}
@objc func logins() -> AWSTask<NSDictionary> {
return AWSTask(result: tokens)
}
}
4.將數據存儲到Cognito聯合身份
這一切順利進行,沒有任何錯誤。 但是,現在我想將我從Cognito池中提取的數據存儲到特定的Cognito聯合身份數據集,所以我在調用: userProfile.synchronize().continue
並得到以下結果:
getCredentialsWithCognito:authenticated:customRoleArn:] _ block_invoke | GetCredentialsForIdentity失敗。 錯誤為[錯誤域= com.amazonaws.AWSCognitoIdentityErrorDomain代碼= 8“(null)” UserInfo = {__ type = NotAuthorizedException,message =禁止訪問身份'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' 。}]
2016-11-10 10:27:16.947365 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [錯誤] AWSIdentityProvider.m行:304 | __52- [AWSCognitoCredentialsProviderHelper getIdentityId] _block_invoke.255 | GetId失敗。 錯誤為[錯誤域= com.amazonaws.AWSCognitoIdentityErrorDomain代碼= 8“(null)” UserInfo = {__ type = NotAuthorizedException,消息=此身份驗證池不支持未經身份驗證的訪問。}] 2016-11-10 10:27:16.947726 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [錯誤]
AWSCredentialsProvider.m行:577 | __44- [AWSCognitoCredentialsProvider憑據] _block_invoke.352 | 無法刷新。 錯誤為[Error Domain = com.amazonaws.AWSCognitoIdentityErrorDomain代碼= 8“(null)” UserInfo = {__ type = NotAuthorizedException,消息=此身份驗證池不支持未經身份驗證的訪問。}] 2016-11-10 10:27:16.948452 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [錯誤]
AWSCognitoDataset.m行:352 | __30- [AWSCognitoDataset syncPull:] _ block_invoke | 無法列出記錄:Error Domain = com.amazonaws.AWSCognitoIdentityErrorDomain代碼= 8“(null)” UserInfo = {__ type = NotAuthorizedException,消息=此身份驗證池不支持未經身份驗證的訪問。} [10:27:16]:saveSettings AWS任務錯誤:操作無法完成。 (com.amazonaws.AWSCognitoIdentityErrorDomain錯誤8。)
更改日志級別后,可以看到以下內容:
//請求
2016-11-10 10:33:08.095735 xxxxxxxx [19874:5616142] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:543 | -[AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] | 請求正文:{“ IdentityId”:“ us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx”}
//響應
2016-11-10 10:33:08.714268 xxxxxxxx [19874:5616154] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:553 | -[AWSURLSessionManager printHTTPHeadersForResponse:] | 響應標頭:{Connection =“ keep-alive”; “內容長度” = 129; “ Content-Type” =“ application / x-amz-json-1.1”; Date =“星期四,2016年11月10日09:33:08 GMT”; “;” x-amzn-ErrorMessage“ =”禁止訪問身份'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx'。 “ x-amzn-ErrorType” =“ NotAuthorizedException:”; “ x-amzn-RequestId” =“ b0ac6fb0-a728-11e6-8413-1fdb846185bb”; }
上面的請求是GetID API調用。 顯然,它與來自AWS Docs的請求格式不匹配: http : //docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html 。
根據AWSServiceManager類,我們有以下內容:
/**
The default service configuration object. This property can be set only once, and any subsequent setters are ignored.
*/
@property (nonatomic, copy) AWSServiceConfiguration *defaultServiceConfiguration;
這意味着設置新服務配置是沒有意義的,但是我看不到其他方法來刷新通過Cognito用戶池身份驗證獲得的憑據。
就是這樣。 有任何想法嗎?
謝謝
看來是從您得到的錯誤
Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden
您在第一部分中獲得的憑據無法訪問您進行同步調用的身份,因此您的身份可能已更改。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.