我可以通过纯Java向AWS Cognito进行身份验证吗？ [英] Can I authenticate with AWS Cognito from plain Java?

问题描述

我想用Cognito测试自定义用户授权，并通过简单的Java代码来完成。问题是，CognitoCachingCredentialsProvider需要一个Android ApplicationContext，并且不会接受null。

I want to test custom user authorization with Cognito and do it from a simple java code. The problem is, the CognitoCachingCredentialsProvider requires an Android ApplicationContext and won't accept a null.

整个流程应该像这样：

1. 用户使用电子邮件和密码登录


2. 后端（Lambda函数）从Cognito获取IdentityToken并将其返回给用户


3. 用户现在可以从Cognito检索凭据并初始化ApiClientFactory以授权对其他API端点的调用

我是否缺少某些东西，或者我只是对整个概念有误？有什么好的教程吗？我已经阅读了有关AWS的所有可能文档，但是我发现很难真正解决这个问题，并且在纯Java上没有单一的材料，只有Android。

Is there something I'm missing or do I just have the whole concept wrong? Any good tutorials on this? I've already went through every possible documentation on AWS but I find it really hard to wrap my head around it and there is not a single material on plain Java, only Android.

推荐答案

通常，不可信客户端（例如移动和JavaScript应用程序）使用Amazon Cognito直接向最终用户出售临时AWS凭证。由于我们看到的最常见的Java客户端应用程序是Android应用程序，因此我们的指南主要针对Android而非纯Java，但是相同的过程也适用于Java SDK。

Generally Amazon Cognito is used from "untrusted" clients like mobile and JavaScript apps to vend temporary AWS Credentials directly to the end user. Since the most common Java client-side apps we see are Android apps, our guides focus on Android rather than plain Java, but the same process will work with the Java SDK.

使用Amazon Cognito的开发人员身份验证功能，正如您提到的那样，您会从对Amazon Cognito的 GetOpenIdTokenForDeveloperIdentity 在您的后端（lambda）函数上。您的后端应在成功验证用户身份后将该令牌提供给客户端应用程序。

When using Amazon Cognito's Developer Authenticated Identities feature as you mentioned you are doing, you'll get an OpenID Connect token back from the call to Amazon Cognito's GetOpenIdTokenForDeveloperIdentity on your backend (lambda) function. Your backend should provide that token to the client application after successfully authenticating the user.

然后，客户端应用程序需要调用Cognito的 GetCredentialsForIdentity API （传递Java文档从上面的服务器端步骤中获取令牌，以凭据对象。使用这些会话凭证（实际上是来自AWS安全令牌服务/ STS的凭证），创建一个 BasicSessionCredentials 对象，并将会话凭证和会话令牌传递给它，如 明确指定凭据指南。

Then the client-side application needs to make a call to Cognito's GetCredentialsForIdentity API (Java docs) passing in the token from the Server Side step above to get AWS Session Credentials as a Credentials object in the Java SDK. With these session credentials (which are effectively credentials from the AWS Security Token Service/STS), create a BasicSessionCredentials object, passing it the session credentials and session token as described under Explicitly Specifying Credentials in the Java SDK developer guide.

这篇关于我可以通过纯Java向AWS Cognito进行身份验证吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！