从Cognito身份池IdentityId获取Cognito用户池用户名 [英] Getting cognito user pool username from cognito identity pool identityId

问题描述

我正在将AWS Congito用户池用于具有该用户池作为身份提供者的Cognito身份池的账户管理。我正在使用它来控制通过将请求发送到Lambda的API网关对API的访问。我的Lambda是使用Micronaut在Java 8中实现的。

I am using AWS Congito User Pools for account management with a Cognito Identity Pool that has this User Pool as the Identity Provider. I'm using this to control access to an API through API Gateway that sends requests to Lambda. My Lambda is implemented with Java 8 using Micronaut. All of this is working fine.

在Lambda中，我从 Principal 的名称中 HttpRequest ：

In the Lambda, I'm getting the name from the Principal in the HttpRequest:

  protected String resolveUser( HttpRequest request ){
    String ret = null;

    Optional<Principal> principal = request.getUserPrincipal();
    if( principal.isPresent() ){
      ret = principal.get().getName();
    }

    if( ret == null || ret.length() == 0 ){
      ret = "unknown";
    }
    return ret;
  }

Cognito identityId的字符串名称返回了什么。像这样的东西：

What is coming back in the string name of the Cognito identityId. Something like this:

us-east-1：xxxxe650-53f4-4cba-b553-5dff42bexxxx

us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx

我想记录实际的用户登录名，或者至少需要某种方式在需要时将identityId转换为登录名。

I would like to either log the actual user login or at least have some way to convert the identityId to the login when needed.

LookupDeveloperIdentity API调用似乎是正确的方法，但是我无法使其正常工作。

The LookupDeveloperIdentity API call appears to be the right way to go about this, but I'm unable to get it to work.

尝试使用Java和AWS Java SDK 2做到这一点：

Attempting to do this with Java and the AWS Java SDK 2:

  protected String loadUsername( String user ){
    String ret = "unknown:"+user;
    CognitoIdentityClient cognito = CognitoIdentityClient.create();

    LookupDeveloperIdentityRequest request = LookupDeveloperIdentityRequest.builder()
      .identityPoolId( identityPoolId )
      .identityId( user )
      .build();
    LookupDeveloperIdentityResponse response = cognito.lookupDeveloperIdentity( request );
    List<String> identifiers = response.developerUserIdentifierList();
    if( identifiers != null && identifiers.size() > 0 ){
      ret = identifiers.get( 0 );
    }

    return ret;    
  }

抛出异常

software.amazon.awssdk.services.cognitoidentity.model.NotAuthorizedException：您无权访问此身份（服务：CognitoIdentity，状态代码：400，请求ID：64e36646-612b-4985- 91d1-82aca770XXXX）

software.amazon.awssdk.services.cognitoidentity.model.NotAuthorizedException: You do not have access to this identity (Service: CognitoIdentity, Status Code: 400, Request ID: 64e36646-612b-4985-91d1-82aca770XXXX)

尝试通过CLI生成类似结果：

Attempting to do this via the CLI produces a similar result:

aws认知身份查找开发人员身份--identity-id us-east-1：xxxxe650-53f4-4cba-b553-5dff42bexxxx --identity-pool-id us-east -1：xxxx0aa1-89f9-4418-be04-7e83c838xxxx --max-results = 10

aws cognito-identity lookup-developer-identity --identity-id us-east-1:xxxxe650-53f4-4cba-b553-5dff42bexxxx --identity-pool-id us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx --max-results=10

调用LookupDeveloperIdentity操作时发生错误（NotAuthorizedException）：您没有访问此身份

An error occurred (NotAuthorizedException) when calling the LookupDeveloperIdentity operation: You do not have access to this identity

我已经确定IAM政策应该能够处理此问题，当我尝试使用角色没有此政策，我会收到其他错误

I have made sure the IAM policy in place should be able to handle this, and when I try it with a role that does not have this policy, I get a different error

    {
        "Effect": "Allow",
        "Action": [
            "cognito-identity:LookupDeveloperIdentity"
        ],
        "Resource": [
            "arn:aws:cognito-identity:us-east-1:##########:identitypool/us-east-1:xxxx0aa1-89f9-4418-be04-7e83c838xxxx"
        ]
    }

所以问题归结为：

• 这是从身份池ID中获取用户池用户名的最佳方法吗？
  
  
  
  
  • 如果是-我做错了什么？
  
  
  • 如果不是-有什么更好的方法
  
  

  推荐答案

  替代方法

  要检索用户的用户池用户ID，您可以在lambda中检索：

  In order to retrieve the user’s User Pool user id you can retrieve in your lambda:

  authProvider = event.requestContext.identity.cognitoAuthenticationProvider;
  

  这将返回一个字符串，其中将包括用户的用户池用户ID，其外观类似于：

  This will return a string which will include the user's User Pool user ID and it will look something like:

  cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx,cognito-idp.us-east-1.amazonaws.com/us-east-1_aaaaaaaaa:CognitoSignIn:qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr
  

  其中us-east-1_aaaaaaaaa是用户池ID，而qqqqqqqqq-1111-2222-3333-rrrrrrrrrrrr是用户池用户ID。然后，您可以拆分字符串并提取用户ID。

  Where us-east-1_aaaaaaaaa is the User Pool id and qqqqqqqq-1111-2222-3333-rrrrrrrrrrrr is the User Pool User Id. You can then split the string and extract the user ID.

  请注意，这些信息会因您使用的身份验证提供程序而有所不同。

  然后，如果您需要用户名而不是用户ID，则可以通过获取该特定用户ID的适当详细信息，直接从用户池中提取它。

  Then if you need the username instead of user ID you can extract it directly from user Pool by getting the appropriate details for that specific user ID.

  参考

  https://serverless-stack.com/chapters/mapping-cognito-identity-id-and-user-pool-id.html

  这篇关于从Cognito身份池IdentityId获取Cognito用户池用户名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！