AWS Cognito:使用usernam / password或facebook登录 [英] AWS cognito: sign in with usernam/password OR facebook
问题描述
我想集成一个非常标准的功能:为用户(移动和网络)提供选项,以使用电子邮件/密码或使用RBAC的facebook(google)帐户登录RBAC(不同的用户可能具有不同的角色,例如用户,主持人,管理员,创建者等)。基本上,这就是我想要登录的内容:
I want to integrate a pretty standard functionality: give option to user (mobile and web) to either login with email/password or with facebook (google) account with RBAC (different users may have different roles, like users, moderators, admins, creators, etc). Here is basically what I want from sign in:
我阅读了许多AWS教程和其他材料。我对如何实施有了一定的了解,但是我仍然没有一个完整的画面。希望有人能在这里为我提供帮助。
I went through a number of AWS tutorials and other materials. I got some grasp on how to implement it, but I still don't have a full picture. Hope someone can help me here.
这是我目前的理解(请纠正我错的地方)。
Here is my current understanding (please correct me where I'm wrong).
1)对于电子邮件/密码注册/登录,我使用用户池。当用户登录时,我呼叫authenticateUser(我使用的是JS SDK):
1) For the email/password signup/signin I use a User Pool. When user signs-in I call authenticateUser (I'm using JS SDK):
cognitoUser.authenticateUser(authenticationDetails, {
..
})
其中onSuccess
where onSuccess
- 我存储身份,访问和刷新令牌,因此,用户
不必每次都输入其凭据 - 因为用户将访问AWS服务(例如S3),所以我将idToken交换为AWS凭证
- 在访问资源时将AWS凭证存储在LocalStore中以供进一步使用
2)对于Facebook登录,我使用联合身份验证
2) For the facebook sign-in I use Federated Identity
- 获取Facebook访问令牌
- 使用fb令牌获取认知身份
- 将认知身份交换为AWS凭证并将其存储在LocalStore中 >
- get a facebook access token
- with fb token get a cognito identity
- exchange a cognito identity to AWS creds and store those in LocalStore
第一季度。注册/登录逻辑是否有效且相当完整?我错过了什么吗?
Q1. Is it valid and fairly complete logic for sign-up/sign-in? Did I miss anything?
第二季度。我应该如何存储Facebook用户?我可以在用户池中这样做吗?我认为这是不可能的,但这意味着我有2个不同的用户目录:一个在UserPool中,另一个在另一个地方(在DynamoDB中这样说)
Q2. How should I store facebook users? Can I do it in User Pools? I have impression that it's not possible, but that means I have 2 different user directories: one in UserPool and another one in another place (lets say in DynamoDB)
Q3。如果我必须将用户存储在不同的位置(UserPool和DynamoDB),这意味着我实际上有2个用户,其中一个用户首先注册了电子邮件/密码,然后决定使用facebook-这对于我作为应用程序管理员和用户来说都是不便的。
Q3. If I have to store users in different places (UserPool and DynamoDB) that means I have 2 users for essentially one user, who first registered with email/password and then decided to use facebook - this is inconvenience for both me as app admin and user. How to deal with this situation?
第四季度。如何为使用Facebook令牌登录的用户(如用户,主持人,管理员,创建者等)管理群组?
Q4. How to manage groups for users, who signed-in with facebook token (like users, moderators, admins, creators, etc)?
Q5。我应该如何限制Facebook登录用户访问AWS以外的资源?
Q5. How should I restrict access to resources other than AWS for facebook signed-in users?
Q6。
谢谢!
推荐答案
-
我是人,可能错过了一些东西,但这对我来说听起来很不错。
I'm human and may have missed something, but that sounds pretty good to me.
您不能存储联合身份登录用户池。就像Facebook一样,用户池是另一个身份提供者。
You can't store a federated identities login in user pools. Thing of user pools as another identity provider, just like Facebook is. Dynamo (or something else) would be the way to go.
如果用户同时登录并链接了这些登录名,则可能要考虑避免使用该用户。仅使用dynamo完全池化属性。链接了两个登录名后,Cognito联合身份仅需要一个登录令牌即可继续进行,而用户池则需要其登录令牌才能查看/更新属性。用户必须使用用户池登录才能触摸这些属性,否则会变得混乱。
If a user logged in with both, linking those logins, you might want to consider avoiding user pools attributes entirely and only using dynamo. With two logins linked, Cognito federated identities only requires one login token to proceed, but user pools requires it's login token to see/update attributes. The user would have to login with the user pool to touch those attributes, it'd get messy.
这篇关于AWS Cognito:使用usernam / password或facebook登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
