AWS Cognito，Lambda，DynamoDB中的用户凭据 [英] AWS Cognito, Lambda, User credentials in DynamoDB

问题描述

我在客户端上建立了与Facebook登录和AWS Cognito的身份验证流程。工作正常。但现在我需要一个用户的参考，它的facebook id在dynambodb表中。当然，我可以调用通过AWS API网关公开的AWS lambda函数，但是如何验证API调用实际上是否具有有效的facebook id，并且该facebook id与AWS Cognito Id匹配。也许我在这里遗漏了一些东西，希望你们能指出正确的方向;）谢谢！

解决方案

如果您可以通过识别代码而不是Facebook id键入ddb表，则可以使用认证凭据调用api网关。如果您在调用lambda时使用被叫方凭据，则可以通过令牌 $ context.identity.cognitoIdentityId 访问认证ID。这样可以确保该呼叫是由该ID的所有者发出的。您可以进一步查看 $ context.identity.cognitoAuthenticationProvider 是 graph.facebook.com ，以确保他们通过Facebook进行授权。不幸的是，Facebook id并没有在凭据中传递，所以如果你需要它，你将需要一个查找表，将cognito id映射到facebook id。有关可用令牌的更多详细信息，请参阅 here 。

I established a authentication flow with Facebook Login and AWS Cognito on the client site. Works fine. But now I need a reference of the user with its facebook id in a dynambodb table. Of course I could just call a AWS lambda function exposed via AWS API gateway, but how can I verify that the API call actually has a valid facebook id and that this facebook id matches the AWS Cognito Id. Maybe I am missing something here, I hope you guys can point me in the right direction ;) thanks!

解决方案

If you can key your ddb table by cognito id instead of facebook id, you can invoke api gateway with cognito credentials. If you use callee credentials when calling lambda you can access the cognito id via the token $context.identity.cognitoIdentityId. This ensures the call was made by the owner of this id. You can further check that $context.identity.cognitoAuthenticationProvider is graph.facebook.com to ensure they authed via Facebook. Unfortunately, the facebook id is not passed in the credentials, so if you need it you will need a lookup table mapping cognito id to facebook id. For more details on the available tokens see here.

这篇关于AWS Cognito，Lambda，DynamoDB中的用户凭据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！