使用自定义属性通过到Lambda的API网关对Cognito用户进行身份验证是否安全? [英] Is it safe to authenticate a Cognito User through API Gateway to Lambda using a custom property?
问题描述
我目前正在使用Cognito用户池作为API网关端点的授权者,直到使用Lambda函数。
I'm currently using a Cognito User Pool as an authorizer for an API Gateway endpoint, through to a Lambda function.
我可以将集成请求传递给Lambda和SECURELY基于自定义属性从Lambda内部允许还是拒绝?
Can I pass the Integrated Request on to Lambda and SECURELY allow or deny from inside Lambda based on a custom attribute?
映射:
administrator: $ context.authorizer.claims ['custom :administrator'],
Mapping: "administrator" : "$context.authorizer.claims['custom:administrator']",
Lambda处理程序:
Lambda handler:
boolean isAdmin = Boolean.parseBoolean(request.getContext().get("administrator"));
if(isAdmin) etc...
不是管理员的用户不应具有与管理员相同的API端点。.
To be clear, a user that is NOT an administrator should not have access to the same API endpoints that and Administrator does..
在此之前/之后,我还需要做其他事情吗?
Do I need to do anything else before/after this point?
在用户登录到Cognito后,我将通过包括Authorization:JWToken标头向Java网关发送初始请求。
I am sending the initial request to the API Gateway with Javascript after the user has logged into Cognito, by including the Authorization: JWToken header.
我需要在Lambda函数中验证令牌的签名吗?我想API Gateway已经做到了。
Do I need to verify the signature of the token in the Lambda function? I presume that API Gateway has already done that.
是否存在更好的安全性管理方法?
Is there a better way to manage this in terms of security?
理想情况下,我希望能够基于用户池中的GROUPS限制对API端点的访问,但是我认为这是不可能的。
Ideally I would like to be able to limit access to the API Endpoint based on GROUPS within the User Pool, however I don't think this is possible.
Groups文档讨论了通过AWS Identity and Access Management限制访问/权限。如果我走这条路,该如何向API网关发出请求?我仍然使用JWToken授权标头,并使用Cognito作为API网关中的授权者吗?
The Groups documentation talks about limiting access/permissions via AWS Identity and Access Management. If I go down this path, how do I make a request to the API Gateway? Do I still use the JWToken Authorization header, and use Cognito as the Authorizer in API Gateway?
推荐答案
自定义属性/声明支持Cognito用户池中包含的内容是安全的,并且可以在正确使用后用于诸如此类的用例。有几点警告。
The custom attribute/claim support included with Cognito user pools is secure and can be used for use cases such as this when used correctly. There are a couple of caveats.
首先,请确保用户无法自行修改自定义属性。添加客户属性时,请勿将属性标记为可变。同样,可以将自定义属性标记为对每个应用程序可读或可写。对于此用例,您需要将属性设置为用户有权访问的应用程序可读。有关自定义属性的详细信息。
First, ensure that users aren't able to modify the custom attribute themselves. When adding the customer attribute, do not mark the attribute as mutable. Also, custom attributes can be can be marked as readable or writable for each application. For this use case, you'll want to set the attribute as readable for the application the users have access to. Details about custom attributes can be found here.
另一个警告是,请确保您的请求正文永远不会绕过您的映射模板,这可能会导致攻击者一种直接设置要传递给Lambda函数的管理员属性的方法。为此,请编辑您的集成请求,并将请求正文传递设置为从不。
The other caveat is to ensure that your request body can never by-pass your mapping template which could allow an attacker a way to directly set the administrator attribute being passed to your Lambda function. To do this, edit your integration request and set "Request body passthrough" to "Never".
在此用例中,您还可以使用其他替代方法。最干净的方法是为管理员提供完全独立的API。然后,您可以为管理员使用单独的Cognito用户池,也可以使用IAM用户或组。
There are other alternatives you could use for this use case. The cleanest approach is to provide a completely separate API for your administrators. Then you can use a separate Cognito user pool for your administrators, or you could use IAM users or groups.
这篇关于使用自定义属性通过到Lambda的API网关对Cognito用户进行身份验证是否安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
