AWS:如何使用 AWS Cognito 为 Cloudfront 和 EC2 实例托管的 Web 应用程序提供授权服务? [英] AWS: How can I use AWS Cognito to provide authorization service for a webapp hosted by Cloudfront and EC2 instances?
问题描述
我是 AWS 的新手,只是使用 AWS cognito、AWS Cloudfront 和/或 AWS API Gateway 等工具探索可能的架构.
目前,我的应用程序部署在 EC2 实例中,大纲如下:
前端:在端口 80 上运行的 React 应用程序.当用户访问
现在,我不想使用 nginx/openresty 服务来管理 EC2 实例,而是想实现无服务器.
我计划将我的域 myapp.com 指向 AWS CloudFront,然后 Cloudfront 作为单一入口点来替换 Nginx/Openresty 的功能.它应该执行以下操作:
AWS Cognito 授权:
当用户第一次访问myapp.com时,他会从 AWS Cloudfront 定向到 AWS Cognito 以完成登录步骤.基于路径的反向代理:我知道这是可以做到的.我可以从 CloudFront 配置页面进行配置.
但是对于 1,Cloudfront 可以使用 AWS Cognito 进行授权吗?这是使用 AWS Cloudfront 的正确方式吗?
阅读 AWS 文档并尝试使用 Cloudfront 配置后,我开始认为 Cloudfront 根本不是为这样的用例构建的.
有什么建议吗?
您提到了无服务器",但使用的是服务器 ec2.您可以将 AWS lambda(Node JS)用于后端,将 S3 用于前端.AWS API 网关内置了授权功能,您可以在其中使用 AWS Cognito.Cloudfront 用于缓存在边缘站点的内容交付,以便从用户所在的最近边缘站点更快地交付内容.
您可以按照以下步骤在 AWS 中实现无服务器概念.
创建前端并上传到 S3
配置 AWS Cognito 并获取以下内容UserPoolId: 'xxxx',客户 ID: 'xxx',IdentityPoolId: 'xxxx',区域:'xxxx'
使用 aws-cognito-sdk.min.js 对用户进行身份验证并获取 JWT 令牌,示例代码可以找到 此处.需要将此 JWT 令牌传递给标头部分中的每个 API 调用.如果使用 AJAX 那么示例代码是
var xhr = new XMLHttpRequest();
xhr.setRequestHeader(授权", idToken);
配置 AWS API 网关和 cloudfront - 按照 文档
在 API Gateway 配置中,为您要使用授权访问的 API 选择 Cognito.
为后端创建 AWS Lambda 函数并链接到 API 网关.
I'm new to AWS and just exploring possible architectures using the tools like AWS cognito, AWS Cloudfront, and/or AWS API Gateway.
Currently, my app is deployed in an EC2 instance and here is the outline:
Frontend: React app running on port 80. When a user goes to https://myapp.com, the request is be directed to my-ec2-instance:80.
Backend: Nodejs + Express running on port 3000. After the user loads the frontend in the browser, when he interacts with the website, http requests are sent to https://myapp.com/api/*, which are routed to my-ec2-instance:3000;
I use nginx/openresty as a single entry point to my webapp, and it does authorization with AWS Cognito, and then reverse-proxy the requests based on path:
Now, instead of managing an EC2 instance with the nginx/openresty service in it, I want to go serverless.
I plan to point my domain myapp.com to AWS CloudFront, and then Cloudfront acts as the single entry point to replace the functionalities of Nginx/Openresty. It should do the following:
Authorization with AWS Cognito:
When a user first visitsmyapp.com, he is directed to AWS Cognito from AWS Cloudfront to complete the sign-in step.path-based reverse proxy: I know this can be done. I can configure this from the CloudFront configuration page.
But for 1, Can Cloudfront do authorization with AWS Cognito? Is this the right way of using AWS Cloudfront?
After reading the AWS doc and trying with Cloudfront configurations, I started to think that Cloudfront is not build for such a use case at all.
Any suggestions?
You mentioned "serverless", but using ec2 which is a server. You can use AWS lambda (Node JS) for backend and S3 for front-end. AWS API gateway has built in authorization feature where you can use AWS Cognito. Cloudfront is for content delivery cached in edge locations to deliver content faster from nearest edge locations where the user is located.
You can follow the below steps to implement serverless concept in AWS.
Create the front end and upload to S3
Configure AWS Cognito and grab the following UserPoolId: 'xxxx', ClientId: 'xxxx', IdentityPoolId: 'xxxx', Region: 'xxxx'
Use aws-cognito-sdk.min.js to authenticate user and get the JWT token, sample code can be found here. This JWT token needs to be passed to each and every API call in the header section. If using AJAX then sample code is
var xhr = new XMLHttpRequest();
xhr.setRequestHeader("Authorization", idToken);
Configure AWS API gateway and cloudfront - follow documentation
In API Gateway configuration select Cognito for those API's for which you want to use authorized access.
Create AWS Lambda functions for the backend and link to API Gateway.
这篇关于AWS:如何使用 AWS Cognito 为 Cloudfront 和 EC2 实例托管的 Web 应用程序提供授权服务?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
