AWS Cognito:访问令牌和身份令牌之间有什么区别? [英] AWS cognito: What's the difference between Access and Identity tokens?
问题描述
Just reading the docs, they seem very similar to me so I can't really discern why to use one over the other. Although identity token seems better since it has custom attributes on it from the user pool (eg: custom:blah and the default ones like name and email).
现在,我正在使用一个将访问令牌传递回浏览器的应用程序,以便它可以使用它进行ajax REST调用(有一个auth过滤器期望该访问令牌并对其进行验证).我可以只使用id令牌切换访问令牌吗?当前的验证逻辑是仅从访问令牌中获取sub字段(uuid),但是此sub字段也存在于身份令牌中(以及除aud以外的几乎所有其他属性,不需要).我只想确保自己了解此权利,因为这使我感到困惑,为什么两个令牌都存在并且看起来如此相似.
Right now, I am working with an app that passes the access token back down to the browser so it can use it for making ajax REST calls (there is an auth filter that expects this access token and validates it). Could I just switch out the access token with the id token? The current validation logic is to just get the sub field (the uuid) from the access token, but this sub field is also present in the identity token (as well as practically every other attribute except the aud which I don't need). I just want to make sure I am understanding this right as it is confusing to me why both tokens exist and seem so similar.
推荐答案
id_token供您的应用程序处理,因此您可以获取用户的所有个人详细信息,例如他们的姓名,年龄,电子邮件地址等.您不应将此令牌发送到其他任何地方,因为它包含敏感的用户数据.
The id_token is for your application to process, so you can get all the personal details for your user, like their name, age, email address etc. Generally speaking you shouldn't send this token anywhere else as it contains sensitive user data.
access_token用于调用其他外部"服务(并且通过外部,我包括其他AWS服务-这些通常通过http调用).它为您的用户提供服务访问授权,而不必包括他们的个人详细信息.
The access_token is used to call other 'external' services (and by external I include other AWS services - these are often called over http). It provides service access authorisation for your user without having to include their personal details.
从表面上看,这似乎有些混乱,因为您实际上可以使用与access_token相同的方式使用id_token来访问服务.但是,良好的做法是在这种情况下使用access_token,如果后端服务需要用户数据,则应在Cognito中自行查找.
On the face of it this appears slightly confusing as you can actually use the id_token to access services in the same way as the access_token. However, good practise is to use the access_token in this circumstance and if backend services need user data, they should look it up themselves in Cognito.
这篇关于AWS Cognito:访问令牌和身份令牌之间有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
