我知道两种验证用户身份和获取access token
的方法,一种是通过Hosted UI,另一种是使用提供的各种SDK。
我正在寻找的是一个端点直接使用用户凭据获取access token
。
POST https://that-special-endpoint.com/login
{
username: "example@email.com",
password: "Abc123456",
...client ID, etc.
}
我找了一段时间,但找不到如何做到这一点。这是不是因为我不知道的一些安全问题而不可能?
我确实考虑过创建一个Lambda API并使用Cognito SDK来满足我的用例,但我不确定这是否可取。。。
类似的问题在这里得到了回答。您可以访问https://cognito-idp.[region].amazonaws.com/
来调用InitiateAuth
和RespondToAuthChallenge
API。
InitiateAuth
- 创建一个json文件
aws-auth-data.json
{
"AuthParameters": {
"USERNAME": "your-email@example.com",
"PASSWORD": "your-first-password",
"SECRET_HASH": "......(required if the app client is configured with a client secret)"
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "5m........................"
}
- 在
https://cognito-idp.us-east-2.amazonaws.com/
(如果用户池位于us-east-2
区域(上发送请求,以调用InitiateAuth
API并启动身份验证流
curl -X POST --data @aws-auth-data.json
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth'
-H 'Content-Type: application/x-amz-json-1.1'
https://cognito-idp.us-east-2.amazonaws.com/
- 然后您将获得用户的令牌
{
"AuthenticationResult": {
"AccessToken": "eyJra........",
"ExpiresIn": 3600,
"IdToken": "eyJra........",
"RefreshToken": "eyJjd........",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}
RespondToAuthChallenge
您可能会收到InitiateAuth
响应的挑战。例如,当您第一次尝试"InitiateAuth"时,将要求您更改密码:
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeParameters": {
"USER_ID_FOR_SRP": "abababab-......",
"requiredAttributes": "[]",
"userAttributes": "{"email_verified":"true","email":"your-email@example.com"}"
},
"Session": "DNdY......"
}
在这种情况下,使用RespondToAuthChallenge
更改密码,您将获得令牌。
{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeResponses": {
"USERNAME": "your-email@example.com",
"NEW_PASSWORD": "your-second-password"
},
"ClientId": "5m........................",
"Session": "DNdYN...(what you got in the preceding response)"
}
curl -X POST --data @aws-change-password.json
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge'
-H 'Content-Type: application/x-amz-json-1.1'
https://cognito-idp.us-east-2.amazonaws.com/
另请参阅:
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html
https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html
https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito用户池客户端身份验证流