使用AWS Cognito进行多租户身份验证 [英] Multi-Tenant Authentication with AWS Cognito
问题描述
我当前的项目是在AWS中,将Cognito和微服务与Lambda结合使用.我们已经使用DDD设计了微服务,并且正在实现基本功能.
My current project is in AWS, using Cognito and microservices with Lambda. We have designed the microservices using DDD and are in the process of implementing basic functionality.
但是,业务需要API的用户能够被分类到他们所服务的客户公司中,并且只能访问该客户公司的数据以及我们基于角色的身份验证.将有.
However, there is a business need for users of the API to be able to be categorised into the client company that they work for, and only be able to access data for that client company as well as any role-based authentication we will have.
这不是完整的多租户解决方案,因为每个用户都将使用相同的网站,但是他们的帐户将与特定客户端相关联.
This isn't a full multi-tenant solution as every user will be working with the same website, but their account will have been associated with a particular client.
我所读到的关于在AWS中执行类似操作的所有建议都建议每个客户端使用一个用户角色或池,并在创建用户时将其与用户相关联,但是我们不希望这样做,因为客户端通常由2-组成3个用户,并且有很多客户端.就用户池数量而言,这将很快变得难以维持.
Everything I have read about doing something like this in AWS suggests using one user role or pool per client and associating users with it when they are created, however we do not want to do this, as the clients typically consist of 2-3 users and there are many clients. This would quickly become unmaintainable in terms of number of user pools.
我尝试使用常规"方式来思考解决此问题的方法,例如将域服务添加到体系结构中,该域服务旨在将特定用户通过调用用户微服务来向每个请求添加客户端数据,但是这似乎过于复杂.我还考虑过更改体系结构,以在每个微服务中包括基本用户和角色信息,但这似乎很麻烦.
I tried to think of ways around this issue using "conventional" means, such as adding a domain service into the architecture which was solely designed to add client data to each request by a particular user by calling into the user microservice, but this seems overly complex. I also considered changing the architecture to include basic user and role information in each microservice, but that seems messy.
我的问题是,是否有任何官方支持的方法以编程方式将数据添加到AWS Cognito配置文件中,并且以这种方式可以在创建账户后由客户端管理员通过前端网站进行更改?即使只是令牌中的clientId字段.
My question is are there any officially supported ways to add data into an AWS Cognito profile programmatically, and in such a way that this could be changed through a front-end website by a client admin after the account has been created? Even if it's just a clientId field in the token.
如果没有,那么遇到类似问题的任何人都会推荐什么作为用户群建议的替代方案.
If not, then what would anybody who has experienced a similar issue recommend as an alternative to the user pools suggestion.
谢谢.
我还一直在研究使用Cognito配置文件上的属性来执行此操作的几种方法,如
I have also been investigating several ways to do this using attributes on Cognito profiles, as mentioned here. It seems like this is the way to do more or less what I'm trying to achieve, but I'd still like to hear about alternatives or advice.
推荐答案
我们将为此问题使用的解决方案是将自定义属性用作Cognito用户设置的一部分.我们将为用户所属的其他属性或组提供文本字段.
The solution we will use for this issue will be to use custom attributes as part of the Cognito user set-up. We will have text fields for additional attributes or groups that the user belongs to.
该方法的实现方式可以在以下链接中找到:
The way this should be implemented can be found at the following links:
- Managing SaaS Identity Through Custom Attributes and Amazon Cognito
- Managing SaaS Users with Amazon Cognito
- SaaS identity and isolation with Amazon Cognito (Example Guide)
- SaaS Storage Strategies
随着这些数据作为Cognito凭据的一部分自动传递到每个服务中,我们将能够检查用户是否具有用于访问特定于每个客户端的数据的有效凭据.
With this data being automatically passed into each service as part of the Cognito credentials, we will be able to check that the user has the valid credentials for accessing data specific to each client.
如何在NodeJS应用程序(有时与无服务器)中使用Cognito的示例包括:
Examples of how to work with Cognito in a NodeJS application (sometimes with Serverless) include:
https://serverless-stack.com/chapters/login- with-aws-cognito.html
https://serverless-stack.com/chapters/add-a-create-note-api.html#configure-the-api-endpoint
使用 aws-amplify 包似乎最容易实现主要用于前端身份验证,但可以在NodeJS中用于指定的此处.
This seems to be most easily achieved by using the aws-amplify package, which is primarily designed for front-end authentication, but which can be used in NodeJS for back-end authentication as specified here.
这篇关于使用AWS Cognito进行多租户身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
