我正在开发一个应用程序,允许用户使用他们的谷歌帐户登录,然后使用该登录名来获取Cognito联合身份。
我无法获得使用 Cognito 进行身份验证所需的正确令牌。我不断收到错误com.amazonaws.services.cognitoidentity.model.NotAuthorizedException: Invalid login token. Not a valid OpenId Connect identity token.
这是我的代码:
Runnable runnable = new Runnable() {
@Override
public void run() {
CognitoSyncClientManager.init(getActivity().getApplicationContext());
String token = null;
try {
token = GoogleAuthUtil.getToken(getActivity().getApplicationContext(), signInAccount.getAccount(), "oauth2:openid");
}catch (Exception e){
Log.d("login exception", e.toString());
}
Map<String, String> logins = new HashMap<String, String>();
logins.put("accounts.google.com", token);
CognitoSyncClientManager.addLogins("accounts.google.com", token);
Log.d("login", "Created User token " + token);
Log.d("login", "Cached UserID: "+CognitoSyncClientManager.credentialsProvider.getCachedIdentityId());
Log.d("login", "UserID: " + CognitoSyncClientManager.credentialsProvider.getIdentityId());
Toast.makeText(getActivity().getApplicationContext(), "Created user: "+CognitoSyncClientManager.credentialsProvider.getCachedIdentityId(), Toast.LENGTH_LONG);
}
};
Thread t = new Thread(runnable);
t.start();GoogleAuthUtil的getToken似乎返回了一个访问令牌。
https://developers.google.com/android/reference/com/google/android/gms/auth/GoogleAuthUtil.html#getToken(android.content.Context, android.accounts.Account, java.lang.String, android.os.Bundle)
您需要将Google的OpenId Connect Id Token传递给Cognito,而不是Access Token。
https://developers.google.com/identity/sign-in/android/backend-auth
基于 Javascript passport-google-auth 模块,它返回 access_token、refresh_token 和参数。
要获得cognito_identity您需要使用从 Google 收到的params.id_token
passport.use(new GoogleStrategy(googleDeveloperDetails, getUserDetails));
app.get("/auth/google", passport.authenticate("google", { scope: ['email'] }));
var authGoogle = passport.authenticate("google", {
failureRedirect: "/auth/google"
});
app.get("auth/google/callback", authGoogle, controller.successRedirect);
getUserDetails = function(accessToken, refreshToken, params, profile, done) {
if(profile.provider == "google") {
profile.token = params.id_token // params.id_token to be used to get cognito credentials
} else {
profile.token = accessToken;
}
done(null, profile);
}
googleDeveloperDetails = {
clientID: "google cleint ID",
clientSecret: "google client secret",
callbackURL: "https://localhost:3000/auth/google/callback",
profileFields: ["emails", "profile"]
}