带有Spring Security的Amazon Cognito Oauth2 [英] Amazon Cognito Oauth2 with Spring Security
问题描述
我正在尝试使用 Cognito Oauth2在资源服务器中实现Spring Security,但是似乎找不到太多信息。
我最近的方法是使用 Nimbus + JOSE来检查访问令牌的有效性。 JWKS并授予访问该资源的权限。
(类似于在 API网关资源保护实现中提供的示例,请参见:
所有内容就绪后,Spring Boot应用将自动生成一个登录网址
将您重定向到认知登录页面您可以在其中输入认知身份凭证
使用这样的REST控制器:
@RestController
公共类ExampleControll er {
@RequestMapping( /)
public String email(PrincipalPrincipal){
return Hello + Principal.getName();
}
}
I'm trying to implement Spring Security in a resource server with "Cognito Oauth2", however I don't seem to find too much info. about it (or if It's even possible to do so).
My nearest approach was using "Nimbus+JOSE" to check the validity of the "Access Token" with the "JWKS" and give permissions to acccess the resource. (Similar to the example they give with the "API Gateway Resource Protection Implementation" found here: https://aws.amazon.com/es/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/)
A great starting point for Oauth2 using the latest Sprint Boot 2.x / Sprint Security 5.x can be found here : https://spring.io/blog/2018/03/06/using-spring-security-5-to-integrate-with-oauth-2-secured-services-such-as-facebook-and-github
It uses Facebook / Github as an example but you can apply it to AWS Cognito also.
This is by far the easiest way to setup a secure REST backend with Spring Security / Cognito OAuth2. Your backend will be secured via Spring Security, and AWS Cognito will be used as the identity provider.
You can setup a vanilla spring boot app using the spring security starter as outlined in the article using the following dependencies :
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
and provide your cognito configuration (client registration + provider definition) like this :
spring:
security:
oauth2:
client:
registration:
cognito-client-1:
client-id: 391uhnjlr8v8kicm3cru6g1s8g
client-secret: xxxxxxxxxxxxxxxxxxxxxxxxxx
client-name: Cognito Code Grant
provider: cognito
scope: openid
redirect-uri-template: http://localhost:8080/login/oauth2/code/cognito
authorization-grant-type: authorization_code
provider:
cognito:
authorization-uri: https://custom-domain.auth.eu-central-1.amazoncognito.com/oauth2/authorize
token-uri: https://custom-domain.auth.eu-central-1.amazoncognito.com/oauth2/token
user-info-uri: https://custom-domain.auth.eu-central-1.amazoncognito.com/oauth2/userInfo
jwk-set-uri: https://cognito-idp.eu-central-1.amazonaws.com/eu-central-1_xxxxxxxxx/.well-known/jwks.json
user-name-attribute: cognito:username
As far as Cognito is concerned you need to have a user pool / identity pool with a couple of users and a valid app client ( = client-id in spring config) in cognito with
- a secret ( =
client-secretin the spring config) - the correct grants and scopes (in this case I'm using the authorization_code grant with an openid scope)
- the correct redirect callback ( =
redirect-uri-templatein the spring config) - a domain configuration in cognito
- a JWK uri containing your cognito user pool (
jwk-set-uriin the spring config)
With everything in place, the Spring Boot app will automatically generate a login url
Redirecting you to the cognito login page where you can enter your cognito credentials
And after a successful authentication you'll be able to do a secure REST call
With a REST controller like this :
@RestController
public class ExampleController {
@RequestMapping("/")
public String email(Principal principal) {
return "Hello " + principal.getName();
}
}
这篇关于带有Spring Security的Amazon Cognito Oauth2的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
