根据查询字符串中的令牌授权AWS API Gateway请求 [英] Authorizing AWS API Gateway requests from token in query string

问题描述

我为API网关设置了一个Cognito授权者，该授权者正确授权了标头中带有id令牌的任何请求。

I have API Gateway set up with a Cognito authorizer that correctly authorizes any request with the id token in the header.

当请求基于XHR时，这很好，因为我可以在准备请求时添加标头。但是，当使用由浏览器直接制作的< audio src = http：// api-gateway / ...> 时，我无法添加此内容。

This is fine when requests are XHR based as I can add the header when preparing the request. However I can't add this when using <audio src="http://api-gateway/..."> which is made directly by the browser.

我所能做的最好是将令牌附加到查询字符串中（？token = ... ），但Cognito仅在标头中接受令牌。

The best I can do is append the token in the querystring (?token=...) but Cognito only accepts tokens in the headers.

有什么方法可以让Cognito对来自HTML / CSS的请求进行授权？

Is there any way to get Cognito to authorize requests when they come from HTML/CSS?

推荐答案

不幸的是，API Gateway不支持查询字符串或路径参数中的安全令牌。我短期内不会看到这种变化，因此建议您使用适当的JS客户端代码替换所有硬编码的HTML元素。

Unfortunately API Gateway does not support security tokens in query string or path parameters. I do not see this changing in the short term so would recommend replacing any hardcoded HTML elements with appropriate JS client code.

这篇关于根据查询字符串中的令牌授权AWS API Gateway请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！