AWS API Gateway-将访问令牌与Cognito用户池授权者一起使用吗? [英] AWS API Gateway - using Access Token with Cognito User Pool authorizer?
问题描述
我正在配置一个具有各种前端(移动和Web应用程序)和单个API后端的应用程序,该后端由Lambda提供支持,并可以通过AWS API Gateway进行访问。
为了计划使用Cognito进行身份验证和授权,我已经在我的API网关和几种API方法上设置了一个Cognito用户池授权者。
具有这样的体系结构,从OAuth角度来看,我的应用程序(例如iOS或Vue.js应用程序)是客户端应用程序,而我的API网关后端是资源服务器,这似乎是合乎逻辑的。根据此Auth0论坛帖子,我似乎很清楚因此,应该在我的客户端应用中使用ID令牌,并传递访问令牌来授权我的API网关资源。
当我按下Cognito时, / oauth2 / authorize 端点获取访问代码,并使用该代码访问 / oauth2 / token 端点,我得到3个令牌-一个访问令牌,ID令牌和刷新令牌。到目前为止,一切都很好,我应该有我需要的东西。
这就是我遇到的困难-使用API网关Cognito用户池授权器上的测试功能在控制台中,我可以粘贴ID令牌并通过(在屏幕上解码该令牌)。但是,当我粘贴访问令牌时,我得到 401-未经授权的。
在我的Cognito设置中,仅启用了授权代码授予流,并带有电子邮件和 openid 范围(这似乎是Cognito所允许的最小值,因为我在尝试保存时至少没有勾选这些错误时出现错误)。
我是否需要向其中添加一些特定范围获取API网关以使用访问代码授权请求?如果是这样,这些配置在哪里?
还是我错过了什么? API网关将仅允许ID令牌与Cognito用户池授权者一起使用吗?
您可以将访问令牌与
即使完成了此额外的设置,您也需要在用户池和APIG中进行一些其他设置。不能将内置授权器测试功能与访问令牌(仅ID令牌)一起使用。 AWS的典型80%解决方案!
要使用访问令牌,您需要在用户池中的 App Integration->下设置资源服务器。资源服务器无关紧要,但是我假设您使用< site> .com 作为标识符,并且您有一个作用域称为 api 。
不进入APIG中的方法并输入 Method Request 表示方法。假设已经使用经过ID令牌测试的授权者进行了设置,然后将< site> .com / api 添加到 Settings-> ; OAuth范围 部分。
只需添加OAuth范围,即可确保令牌现在必须是访问令牌和ID令牌不再被接受。
I am configuring an app with various frontends (mobile and web apps) and a single API backend, powered by Lambda and accessed via AWS API Gateway.
As I'm planning to use Cognito to authenticate and authorize users, I have set up a Cognito User Pool authorizer on my API Gateway and several API methods.
With an architecture like this, it seems logical that my apps (e.g. an iOS or Vue.js app) are the Client applications from an OAuth perspective, and my API Gateway backend is a Resource Server. Based on this Auth0 forum post it seems clear that I should therefore use an ID token in my client app, and pass an Access Token to authorize my API Gateway resources.
When I hit the Cognito /oauth2/authorize endpoint to get an access code and use that code to hit the /oauth2/token endpoint, I get 3 tokens - an Access Token, an ID Token and a Refresh Token. So far so good, as I should have what I need.
This is where I've run into difficulties - using the test function on the API Gateway Cognito User Pool Authorizer console, I can paste in the ID token and it passes (decoding the token on-screen). But when I paste in the Access Token, I get 401 - unauthorized.
In my Cognito setup, I have enabled Authorization Code Grant flow only, with email and openid scopes (this seems to be the minimum allowed by Cognito as I get an error trying to save without at least these ticked).
Do I need to add some specific scopes to get API Gateway to authorize a request with the Access Code? If so, where are these configured?
Or am I missing something? Will API Gateway only allow an ID token to be used with a Cognito User Pool Authorizer?
You can use an access token with the same authorizer that works for the id token, but there is some additional setup to be done in the User Pool and the APIG.
Even when this extra setup is done you cannot use the built-in authorizer test functionality with an access token, only an id token. Typical 80% solution from AWS!
To use an access token you need to set up resource servers in the User Pool under App Integration -> Resource Servers it doesn't matter what you use but I will assume you use <site>.com for the Identifier and you have one scope called api.
No go to the method in APIG and enter the Method Request for the method. Assuming this is already set up with an authorizer tested with the id token, you then add <site>.com/api to the Settings -> OAuth Scopes section.
Just by adding the OAuth Scope it will make sure that the token now has to be an access token and an id token is no longer accepted.
This is detailed here: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html
这篇关于AWS API Gateway-将访问令牌与Cognito用户池授权者一起使用吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
