尝试为API网关设置用户池身份验证 [英] Trying to setup user pool authentication for API Gateway
问题描述
我正在尝试使用Cognito用户池在API上设置安全性。我回来了401未经授权。
I'm trying to setup security on an API using Cognito user pools. I'm getting back 401 Unauthorized.
API和用户池已经存在,并且我一直在使用用户池登录应用程序。我现在正在尝试确保API调用的安全性。
The API and User Pools are existing, and I've been using the user pool to log into an application. I'm now trying to secure the API calls.
我在API上创建了授权者,
I created an authorizer on the API,
< a href = https://i.stack.imgur.com/W3QU2.jpg rel = nofollow noreferrer>
然后我将授权者添加到API中的一种GET方法
Then I added the authorizer to one GET method in the API
然后,我终于尝试在Postman中测试API。我正在使用AWS Signature授权。
Then finally I tried to test the API in Postman. I'm using the AWS Signature authorization.
调用该方法将返回401。该方法以前没有安全性就可以运行,并且关闭授权程序会使该方法再次起作用(没有安全性)。
Calling the method returns 401. The method functioned before with no security, and turning off the authorizer makes it work again (without security).
任何想法我要做什么?缺少m?
Any ideas what step I'm missing?
推荐答案
AWS Signature授权与自定义授权者不同。
The AWS Signature authorization is different than a Custom Authorizer.
AWS Signature授权(邮递员)请求AWS AccessKey和SecretKey对请求进行身份验证。这对应于API网关中的 IAM身份验证。通过IAM接收AccessKey和SecretKey。
The AWS Signature authorization (Postman) requests an AWS AccessKey and SecretKey to authenticate requests. This corresponds to IAM Authentication in API Gateway. The AccessKey and SecretKey are received through IAM.
自定义授权者使用 JWT #id_token 的>。要测试令牌的有效性,请转到自定义授权者并单击测试,然后将令牌复制并粘贴到文本区域。
A Custom Authorizer takes a JWT called #id_token that is issued by your specified Cognito User Pool. To test the validity of the token, go to your custom authorizer and click test, and then copy and paste the token into the text area.
执行自定义方法授权者身份验证是这样的:
The way to perform the Custom Authorizer authentication is this:
- 通过以下方式从用户池中获取
#id_token遵循 AWS配置 - 使用Cognito自定义授权者配置API网关,并将您的用户池作为源(似乎您已正确完成)
- 使用
OAuth 2.0作为邮递员中的授权,并使用您的#id_token作为访问令牌,或者添加标头:Authorization值Bearer和#id_token
- obtain an
#id_tokenfrom the your user pool by following AWS Configuration - Configure API gateway with a Cognito custom Authorizer with your user pool as the source (Seems that you have done correctly)
- Use
OAuth 2.0as Authorization in postman, with your#id_tokenas the Access Token, Or add the header:Authorizationwith the valueBearerand the#id_token
如果要我添加AWS Signature Auth Flow,请删除注释。
Drop a comment if you want me to add the AWS Signature Auth Flow.
这篇关于尝试为API网关设置用户池身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
