AWS Cognito中的用户需要MFA时的身份验证流程 [英] Flow for authentication when MFA required for user in AWS Cognito

问题描述

我正在尝试将用于用户身份验证的MFA添加到AWS Cognito中用于设备管理的现有解决方案（内置于Angular中）。

I am attempting to add MFA for user authentication to an already existing solution (built in Angular) for device management within AWS Cognito.

我很难弄清楚如何从用户体验的角度很好地处理这种特殊的响应。实际上，它感觉很碎，如果有人在这里遇到痛点，那会很喜欢。

I am having trouble figuring out how to handle this particular response well from a user-experience perspective. It actually feels broken, so would love if anyone else has experience pain points here.

请参见使用案例23。例如实现，我的示例如下：

See Use Case 23. for example implementation, mine is below:

authenticate(username: string, password: string): Observable<any> {

    // init cognitoUser here

    return new Observable((observer) => {
        cognitoUser.authenticateUser(authenticationDetails, {
            onSuccess: (result: any) => {},
            onFailure: (err: Error) => {},
            mfaRequired: (codeDeliveryDetails: any) => {

                // SMS has just been sent automatically 
                // and it needs to be confirmed within this scope

                // The example linked requests the code via `confirm()`
                // which is awful UX...and since this is a service
                // probably non-compliant with best practice
                // However, without this `confirm` at this point in                     
                // time, we have no confirmationCode below

                cognitoUser.sendMFACode(confirmationCode, {
                    onSuccess: (result) => {
                        observer.next(result);
                        observer.complete();
                    }, onFailure: (err: Error) => {
                        observer.error(err);
                        observer.complete();
                    }
                });
            }
        });
    });
}

预期：

• 如果用户成功通过身份验证，但尚未通过MFA添加此设备，则我们可以管理重定向到适当的确认代码表单页面，并触发 sendMFACode 手动功能（也许通过某种有限的会话？）

• If the user authenticates successfully but has not added this device through MFA, we can manage the redirect to appropriate confirmation code form page and trigger the sendMFACode function manually (perhaps through some sort of limited session?)

问题/ s：

• 我们没有会话，因此我们无法询问用户在此登录屏幕之外自动发送的MFA代码...捕获22吗？


• 在登录表单中添加另一个显示/隐藏字段无效，因为它将多次击 sendMfaCode 函数，从而导致发送了多个SMS代码。 / li>
  

• we don't have a session, so we have no way of asking the user the MFA code sent automatically outside of this login screen...catch 22?
• adding another show/hide field in the login form doesn't work as it would hit the sendMfaCode function multiple times, resulting in multiple SMS codes sent.

有人从这个流程中走出来吗？

Has anyone had any luck stepping out of this flow?

推荐答案

尽管我确定非常有才华的人在 amazon-cognito-identity-js API上工作，但是它设计得很糟糕。这就是为什么它被贬低了。我个人的建议是迁移到 Amplify ，这使我的愤怒减轻了很多。

Whilst I’m sure very talented people worked on the amazon-cognito-identity-js API, it is just straight up badly designed. Thus why it’s been depricated. My personal advise would be to migrate to Amplify, which makes me much less angry.

有了 Amplify ，您可以做这些。

With Amplify you can do these ones.



import Amplify from 'aws-amplify'
import Auth from '@aws-amplify/auth'

let mfaRequired = false

Amplify.configure({
    Auth: {
        userPoolWebClientId: '',
        userPoolId: ''
    }
})

const logUserIn = (user) => {
  // Go forth and be happy
}

// Run me on your login form's submit event
const login = async (username, password) => {
  const user = await Auth.signIn(username, password)

  if (user.challengeName === 'SMS_MFA') {
    // Change UI to show MFA Code input
    mfaRequired = true
    return
  }
  return logUserIn(user)
}

// Run me when the user submits theire MFA code
const senfMfaCode = async (mfaCode) => {
  const user = await Auth.confirmSignIn(mfaCode)
  return logUserIn(user)
}

但是如果出于某些可悲的原因而需要继续使用 amazon-cognito-identity-js ，请不要担心。我明白了。

BUT if for some sad reason you need to keep using amazon-cognito-identity-js don’t worry. I got you.

只需将 cognitoUser 对象存储在回调之外。该文档有点误导，因为它仅显示了自包含的示例，但是没有理由在需要MFA时无法通知UI，然后调用 cognitoUser.sendMFACode（）后来。

Just keep the cognitoUser object stored outside the callback. The documentation is a little misleading because it only show’s self contained examples but there’s no reason that you can’t notify your UI when MFA is required and then call cognitoUser.sendMFACode() later.

只需记住文档显示的是 this 到 sendMFACode（）进行范围界定（这很糟糕），但是您只需将回调声明为变量，然后在 authenticateUser（）和之间共享即可sendMFACode（）函数（或任意数量的函数）。

Just remember that the documentation show’s the passing of this to sendMFACode() for scoping (which is terrible) but you can just declare your callbacks as a variable and share it between your authenticateUser() and sendMFACode() functions (or as many functions as you like).

import { CognitoUserPool, AuthenticationDetails, CognitoUser } from 'amazon-cognito-identity-js'

export let mfaRequired = false
export let cognitoUser = null

export const cognitoCallbacks = {
  mfaRequired () {
    // Implement you functionality to show UI for MFA form
    mfaRequired = true
  },
  onSuccess (response) {
    // Dance for joy the code gods be glorious.
  },
  onFailure () {
    // Cry.
  }
}

export const logUserIn = payload => {
  cognitoUser = new CognitoUser({
    Username: 'Matt Damon',
    Pool: new CognitoUserPool({
      UserPoolId: '',
      ClientId: ''
    })
  })
  return cognitoUser.authenticateUser(new AuthenticationDetails(payload), cognitoCallbacks)
}

export const sendMfaCode = MFACode => {
  cognitoUser.sendMFACode(MFACode, cognitoCallbacks)
}

基本实现，并且最重要的是，

That’s a super basic implementation and on top of that you could,

1. 只需覆盖 mfaRequired 函数


2. 将整个内容包装在pub / sub插件中并订阅事件。

希望有帮助！

这篇关于AWS Cognito中的用户需要MFA时的身份验证流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！