Aws sam cognito api 網關 - 禁止訪問令牌，但如果它來自 postman，則可以使用

Question

我有一個 CognitoUserPool 和一個需要經過身份驗證的用戶的 lambda function。

當使用從 postman 獲取的令牌發出打開 aws UI 登錄的請求時，它有效，但是當使用來自 curl 登錄的令牌時，它沒有 403 禁止，知道我缺少什么嗎？

我的模板.yaml

AWSTemplateFormatVersion: '2010-09-09'
Parameters:
  Env:
    Type: String
    Default: dev
    AllowedValues:
      - dev
      - test
      - prod

Description: >-
  sam-app
Transform:
- AWS::Serverless-2016-10-31

Globals:
  Function:
    Timeout: 100
    Runtime: nodejs16.x
    MemorySize: 128

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool
    Properties:
      UserPoolName: !Sub ${Env}-Cognito-User-Pool
      Policies:
        PasswordPolicy: 
          MinimumLength: 8
      UsernameAttributes:
        - email
      AutoVerifiedAttributes:
        - email
      Schema:
        - AttributeDataType: String
          Name: email
          Required: false

  CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      UserPoolId: !Ref CognitoUserPool
      ClientName: !Sub ${Env}-CognitoUserPoolClient
      GenerateSecret: false
      CallbackURLs:
        - http://localhost:3000
      LogoutURLs:
        - http://localhost:3000
      AllowedOAuthFlowsUserPoolClient: true
      ExplicitAuthFlows:
        - ALLOW_ADMIN_USER_PASSWORD_AUTH
        - ALLOW_USER_PASSWORD_AUTH
        - ALLOW_CUSTOM_AUTH
        - ALLOW_USER_SRP_AUTH
        - ALLOW_REFRESH_TOKEN_AUTH
        - ALLOW_USER_PASSWORD_AUTH
      AllowedOAuthFlows:
        - code
        - implicit
      SupportedIdentityProviders:
        - COGNITO
      AllowedOAuthScopes:
        - openid
        - email
        - profile

  CognitoDomainName:
    Type: AWS::Cognito::UserPoolDomain
    Properties:
      Domain: !Sub ${Env}-domain-test
      UserPoolId: !Ref CognitoUserPool

  HttpApi:
    Type: AWS::Serverless::HttpApi
    DependsOn: CognitoUserPoolClient
    Properties:
      StageName: !Ref Env
      Auth:
        Authorizers:
          CustomCognitoAuthorizer:
            UserPoolArn: !GetAtt CognitoUserPool.Arn
            AuthorizationScopes:
              - email
            IdentitySource: "$request.header.Authorization"
            JwtConfiguration:
              issuer: !Sub https://cognito-idp.${AWS::Region}.amazonaws.com/${CognitoUserPool}
              audience:
                - !Ref CognitoUserPoolClient
      CorsConfiguration:
        AllowMethods:
          - GET
        AllowHeaders: '*'
        AllowOrigins:
          - '*'

  getAllItemsFunction:
    Type: AWS::Serverless::Function
    Properties:
      Handler: src/handlers/get-all-items.getAllItemsHandler
      Events:
        DosGet:
          Type: HttpApi
          Properties:
            Auth:
              Authorizer: CustomCognitoAuthorizer
            Path: /
            ApiId: !Ref HttpApi
            Method: GET

我用來登錄的 curl 是從這篇文章AWS - Cognito Authentication - Curl Call - Generate Token Without CLI - No Client Secret

Method: POST
Endpoint: https://cognito-idp.{REGION}.amazonaws.com/
Content-Type: application/x-amz-json-1.1
X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth
Body:
{
    "AuthParameters" : {
        "USERNAME" : "YOUR_USERNAME",
        "PASSWORD" : "YOUR_PASSWORD"
    },
    "AuthFlow" : "USER_PASSWORD_AUTH", // Don't have to change this if you are using password auth
    "ClientId" : "APP_CLIENT_ID"
}

Answer 1

經過一番挖掘，我解決了這個問題，通過分析每種方法生成的令牌，我發現了不同之處。

從 aws UI 獲取的令牌。

{
 "scope": "aws.cognito.signin.user.admin"
}

以及來自 curl 登錄的那個

{
 "scope": "openid profile email"
}

所以解決方案是添加 aws.cognito.signin.user.admin 作為我的 UserPoolClient AllowedOAuthScopes 的一部分

AllowedOAuthScopes:
 - openid
 - email
 - profile
 - aws.cognito.signin.user.admin

在我的 HttpApi AuthorizationScopes 上

AllowedOAuthScopes:
 - email
 - aws.cognito.signin.user.admin