带有Spring Boot的AWS Cognito用户池服务器端流程 [英] AWS cognito user pool server side flow with spring boot

问题描述

我想用Spring Boot实施AWS Cognito服务器端流程。我不太清楚流程应该是什么。我应该同时使用spring oauth吗？

I want to implement AWS Cognito server side flow with spring boot. I don't quite understand what the flow should be. Should I use spring oauth along with it ?

需求是这样的。
作为管理员创建用户，并授予这些创建的用户访问权限，以使用我的API网关中的API（让我们忽略API网关部分，说我们现在只需要cognito访问令牌即可）

Requirement is something like this. As an admin create user and give access to these created users to use my API from API Gateway (Let's ignore API Gateway part and say we just need access token from cognito for now)

如果我将AWS Cognito与spring oauth2一起使用，这就是我想发生的事情

Here is what I think should happen if I use AWS cognito with spring oauth2

用户点击 localhost：8000 / oauth /令牌-具有基本身份验证（用户名和密码）
，它将使用用户凭据进行API调用。用户接收令牌并根据需要使用令牌。

user hits localhost:8000/oauth/token - with basic authentication (username and password) which will do an API call with user credentials. User receives the token and uses it however he/she needs it.

1. 此流程安全吗？我应该一起使用spring oauth吗？


2. 如何处理对身份验证挑战的响应？用户在调用我的应用程序API时是否应该首次通过新密码？

1. Is this flow secure ? Should I use spring oauth along ?
2. How to handle respond to auth challenge ? Should user pass new password for first time when calling my application API ?

@RestController
public class Oauth {


    @PostMapping(path = "/oauth/token")
    public AdminInitiateAuthResult token(@RequestHeader("username") String username, @RequestHeader("password") String password) {

        AWSCognitoIdentityProvider provider = AWSCognitoIdentityProviderClientBuilder
                .standard()
                .withRegion(Regions.US_WEST_2)
                .withCredentials(new AWSStaticCredentialsProvider()).build();


        Map<String, String> authParams = new HashMap<>();

        authParams.put("USERNAME", username);
        authParams.put("PASSWORD", password);

        AdminInitiateAuthRequest adminInitiateAuthRequest = new AdminInitiateAuthRequest()
                .withClientId("{client-id}")
                .withUserPoolId("{user-pool-id}")
                .withAuthFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH)
                .withAuthParameters(authParams);

        AdminInitiateAuthResult authResult = provider.adminInitiateAuth(adminInitiateAuthRequest);
        return authResult.getAuthenticationResult().getIdToken();
    }

}

推荐答案

业务需求非常简单，需要有一定数量的用户（在这种情况下为认知用户），他们可以通过某种令牌来访问少量API。我想使用Spring Boot来实现这一点，因为API是使用Spring Boot编写的，而且我也使用AWS Api Gateway

Business requirement is quite simple there needs to be a pool of users (cognito in this case) who can get some kind of a token to access few APIs. I want to achieve this using spring boot, since the API is written using spring boot and also I use AWS Api Gateway

我应该同时使用spring oauth吗？

Should I use spring oauth along with it ?

否。授权是由API网关完成的。

API客户端需要在使用API​​之前从Cognito获得令牌（即在其中进行身份验证）。不需要在应用程序（春季）方面做任何事情。

详细信息是这里。

No. Authorization is done by API Gateway.
API clients need to obtain token from Cognito (i.e. authenticate themselves there) before using API. There is no need to do anything on application (Spring) side.
Details are here.

如果您想使用Cognito对API客户端实施身份验证，请参阅Cognito文档有关示例和手册。

仅供参考应用程序负载平衡器可用于处理API的所有身份验证流程。

If you want to implement authentication for API clients using Cognito, then see Cognito docs for examples and manuals.
FYI Application Load Balancer can be used to handle all authentication flow for API.

这篇关于带有Spring Boot的AWS Cognito用户池服务器端流程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！