如何将Cognito身份池与API网关集成? [英] How can integrate Cognito Identity Pool with API Gateway?
问题描述
我对Cognito和API Gateway的集成有疑问,希望您能为我提供帮助。我正在考虑开发一个我希望与第三方(Facebook,Twitter等)进行身份验证过程的应用程序,因此我放弃了Cognito用户池,然后又有了Cognito身份池,但这是我的疑虑。 / p>
- 如何将其与API Gateway集成?
- 我应该使用API Gateway Custom Authorizer来管理由Cognito生成的令牌?
- 如果我不使用自定义授权程序,如何根据用户个人资料(管理员,客户端...)限制对API方法的访问? / li>
感谢您的帮助
如何将其与API Gateway集成?
- 对于Cognito身份池,您需要将方法的Authorization类型设置为AWS_IAM
我应该使用API网关自定义授权器来管理Cognito生成的令牌吗?
- 对于身份池,这是不可能的。您必须使用AWS_IAM授权。您将可以访问后端呼叫的Cognito ID。
如果我不使用自定义授权者,如何限制是否可以根据用户个人资料(管理员,客户端...)访问API方法?
- 更熟悉的Cognito能够回答更好,但我相信您只能设置已认证角色和未认证角色。因此,当用户向外部提供商进行身份验证时,他们将获得已身份验证的角色,仅此而已。我不确定身份池中是否支持用户组(管理员,客户端)(用户池中是否支持)。
I have a question about the integration of Cognito and API Gateway and I hope that you can help me with that. I am thinking of making an application in which I would like the authentication process with third parties (Facebook, Twitter ...), so I discard Cognito User Pool, then I have Cognito Identity Pool, but this is where my doubts grow.
- How can I integrate it with API Gateway?
- Should I use API Gateway Custom Authorizer to manage the token generated by Cognito?
- If I do not use the Custom Authorizer, How can I restrict access to the API Methods based on the user profile (admin, client ...)?
Thanks for your help
How can I integrate it with API Gateway?
- For Cognito Identity Pools, you'll set the Authorization type on your methods to AWS_IAM
Should I use API Gateway Custom Authorizer to manage the token generated by Cognito?
- With Identity Pools, this won't be possible. You'll have to use the AWS_IAM authorization. You'll get access to the Cognito ID for your backend call.
If I do not use the Custom Authorizer, How can I restrict access to the API Methods based on the user profile (admin, client ...)?
- Someone more familiar Cognito would be able to answer better, but I believe you can only set up the 'authenticated role' and the 'unauthenticated role'. So when a user authenticates with an external provider, they get the 'authenticated role' and that's it. I'm not sure if there is support for user groups (admin, client) in Identity Pools (there is support in User Pools).
Edit: maybe this will help http://www.slideshare.net/AmazonWebServices/securing-serverless-workloads-with-cognito-and-api-gateway-part-i-aws-security-day
这篇关于如何将Cognito身份池与API网关集成?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
