小贝子编程

使用Amazon Cognito进行手动身份验证



我知道两种验证用户身份和获取access token的方法,一种是通过Hosted UI,另一种是使用提供的各种SDK。

我正在寻找的是一个端点直接使用用户凭据获取access token

POST https://that-special-endpoint.com/login
{
username: "example@email.com",
password: "Abc123456",
...client ID, etc.
}

我找了一段时间,但找不到如何做到这一点。这是不是因为我不知道的一些安全问题而不可能?

我确实考虑过创建一个Lambda API并使用Cognito SDK来满足我的用例,但我不确定这是否可取。。。

类似的问题在这里得到了回答。您可以访问https://cognito-idp.[region].amazonaws.com/来调用InitiateAuthRespondToAuthChallengeAPI。

InitiateAuth

  1. 创建一个json文件aws-auth-data.json
{
"AuthParameters": {
"USERNAME": "your-email@example.com",
"PASSWORD": "your-first-password",
"SECRET_HASH": "......(required if the app client is configured with a client secret)"
},
"AuthFlow": "USER_PASSWORD_AUTH",
"ClientId": "5m........................"
}
  1. https://cognito-idp.us-east-2.amazonaws.com/(如果用户池位于us-east-2区域(上发送请求,以调用InitiateAuthAPI并启动身份验证流
curl -X POST --data @aws-auth-data.json 
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' 
-H 'Content-Type: application/x-amz-json-1.1' 
https://cognito-idp.us-east-2.amazonaws.com/
  1. 然后您将获得用户的令牌
{
"AuthenticationResult": {
"AccessToken": "eyJra........",
"ExpiresIn": 3600,
"IdToken": "eyJra........",
"RefreshToken": "eyJjd........",
"TokenType": "Bearer"
},
"ChallengeParameters": {}
}

RespondToAuthChallenge

您可能会收到InitiateAuth响应的挑战。例如,当您第一次尝试"InitiateAuth"时,将要求您更改密码:

{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeParameters": {
"USER_ID_FOR_SRP": "abababab-......",
"requiredAttributes": "[]",
"userAttributes": "{"email_verified":"true","email":"your-email@example.com"}"
},
"Session": "DNdY......"
}

在这种情况下,使用RespondToAuthChallenge更改密码,您将获得令牌。

{
"ChallengeName": "NEW_PASSWORD_REQUIRED",
"ChallengeResponses": {
"USERNAME": "your-email@example.com",
"NEW_PASSWORD": "your-second-password"
},
"ClientId": "5m........................",
"Session": "DNdYN...(what you got in the preceding response)"
}

curl -X POST --data @aws-change-password.json 
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge' 
-H 'Content-Type: application/x-amz-json-1.1' 
https://cognito-idp.us-east-2.amazonaws.com/

另请参阅:

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito用户池客户端身份验证流

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium