Firebase身份验证与AWS Cognito [英] Firebase authentication vs AWS Cognito

问题描述

我们正在使用API​​ Gateway和Lambda在AWS上构建移动和Web应用程序，目前正在评估是否应该使用所有AWS Mobile服务（Cognito，Analytics，Mobile Hub等），或者是否应该使用Firebase（提供一些优势，例如远程配置）。

We are building a mobile and web app on AWS using API Gateway and Lambda and are currently evaluating if we should use all the AWS Mobile Servcies (Cognito, Analytics, Mobile Hub, etc) or if we should use Firebase instead (which offers some advantages like remote config).

我认为使用Firebase的非功能性部分（例如Google Analytics（分析），远程配置，崩溃报告，AWS后端通知应该很好） 。我不确定的部分是身份验证层。

I think using the non-funtional part of firebase like Analytics, Remote Config, Crash Reports, Notification should be fine with the AWS backend. The part were I am not certain is the Authentication Layer.

AWS Cognito与API Gateway和Lamdba很好地集成在一起，例如只有经过身份验证的用户才能执行某些API调用。

AWS Cognito integrates nicely into API Gateway and Lamdba e.g. only authenticated users can execute certain API calls.

如果我们改用Firebase身份验证，是否可以达到相同的行为？
对此有好还是坏的经验？

Can the same behaviour be reached if we use Firebase Authentication instead? Any good or bad experience with this?

推荐答案

我们正在做同样的事情。
我们从Cognito开始，但由于不满意AWS Android SDK与Google和Facebook实施身份验证流程的方式而迁移到Firebase：该代码相当古老，它使用了不赞成使用的方法，通常需要重写。另一方面，Firebase身份验证显然可以无缝运行。
当您不使用Cognito时，需要在AWS API Gateway中实现自定义身份验证器，这很容易，并且在 https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api -gateway / 。用于令牌验证的Firebase说明位于 https://firebase.google.com/ docs / auth / admin / verify-id-tokens

we are doing the same. We started with Cognito but moved to Firebase because we were not satisfied with the way AWS Android SDK implements the authentication flow with Google and Facebook: the code is quite old, it makes use of deprecated methods and generally requires rewriting. On the other hand, Firebase authentication is obviously working seamlessly. When you don't use Cognito, you need to implement your custom authenticator in AWS API Gateway which is quite easy and is described in https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/. Firebase instructions for token validation are in https://firebase.google.com/docs/auth/admin/verify-id-tokens

以下是我的身份验证者代码的摘录：

The following is an excerpt of my authenticator's code:

'use strict';

// Firebase initialization
// console.log('Loading function');
const admin = require("firebase-admin");
admin.initializeApp({
  credential: admin.credential.cert("xxx.json"),
  databaseURL: "https://xxx.firebaseio.com"
});
// Standard AWS AuthPolicy - don't touch !!
...
// END Standard AWS AuthPolicy - don't touch !!

exports.handler = (event, context, callback) => {
    // console.log('Client token:', event.authorizationToken);
    // console.log('Method ARN:', event.methodArn);

    // validate the incoming token
    // and produce the principal user identifier associated with the token

    // this is accomplished by Firebase Admin
    admin.auth().verifyIdToken(event.authorizationToken)
        .then(function(decodedToken) {
            let principalId = decodedToken.uid;
            // console.log(JSON.stringify(decodedToken));

            // if the token is valid, a policy must be generated which will allow or deny access to the client

            // if access is denied, the client will recieve a 403 Access Denied response
            // if access is allowed, API Gateway will proceed with the backend integration configured on the method that was called

            // build apiOptions for the AuthPolicy
            const apiOptions = {};
            const tmp = event.methodArn.split(':');
            const apiGatewayArnTmp = tmp[5].split('/');
            const awsAccountId = tmp[4];
            apiOptions.region = tmp[3];
            apiOptions.restApiId = apiGatewayArnTmp[0];
            apiOptions.stage = apiGatewayArnTmp[1];

            const method = apiGatewayArnTmp[2];
            let resource = '/'; // root resource
            if (apiGatewayArnTmp[3]) {
                resource += apiGatewayArnTmp[3];
            }


            // this function must generate a policy that is associated with the recognized principal user identifier.
            // depending on your use case, you might store policies in a DB, or generate them on the fly

            // keep in mind, the policy is cached for 5 minutes by default (TTL is configurable in the authorizer)
            // and will apply to subsequent calls to any method/resource in the RestApi
            // made with the same token

            // the policy below grants access to all resources in the RestApi
            const policy = new AuthPolicy(principalId, awsAccountId, apiOptions);
            policy.allowAllMethods();
            // policy.denyAllMethods();
            // policy.allowMethod(AuthPolicy.HttpVerb.GET, "/users/username");

            // finally, build the policy and exit the function
            callback(null, policy.build());
            })
        .catch(function(error) {
            // Firebase throws an error when the token is not valid
            // you can send a 401 Unauthorized response to the client by failing like so:
            console.error(error);
            callback("Unauthorized");
        });
};

我们尚未投入生产，但是对身份验证器的测试表明它在Google上的行为正确， Facebook和密码身份验证，而且速度非常快（60-200毫秒）。
我唯一看到的缺点是，将向身份验证器lambda函数收费，而Cognito集成身份验证器是免费的。

We are not in production, yet, but tests on the authenticator show that it behaves correctly with Google, Facebook and password authentication and it is also very quick (60 - 200 ms). The only drawback I can see is that you will be charged for the authenticator lambda function, while the Cognito integrated authenticator is free.

这篇关于Firebase身份验证与AWS Cognito的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！