将DynamoDB与Cognito一起使用:令牌不是来自此身份池的受支持提供商 [英] Using DynamoDB With Cognito: Token is not from a supported provider of this identity pool
问题描述
我正在以该项目为例,为我的iOS应用实现注册和登录:
I am in the process of implementing registration and login for my iOS app, using this project as an example:
以前,我的应用程序可以通过以下方式访问DynamoDB资源集:在我的AppDelegate的 didFinishLaunchingWithOptions 方法中。但是,在更改项目以包括登录和类似示例的功能之后,我看到错误:
Previously, my app was able to access DynamoDB resources by using a credentials provider set up in my AppDelegate's didFinishLaunchingWithOptions method. However, after changing my project to include logging in and function like the example, I see the error:
"__type":"NotAuthorizedException","message":"Token is not from a supported provider of this identity pool."
当前在AppDelegate中设置 credentialsProvider 的代码看起来像这样:
The code setting the credentialsProviderin AppDelegate currently looks like this:
let serviceConfiguration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: nil)
let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId:APP_CLIENT_ID, clientSecret: APP_CLIENT_SECRET, poolId: USER_POOL_ID)
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPoolWithConfiguration(serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: USER_POOL_NAME)
let pool = AWSCognitoIdentityUserPool(forKey:USER_POOL_NAME)
pool.delegate = self
self.storyboard = UIStoryboard(name: "Main", bundle: nil)
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: IDENTITY_POOL_ID, identityProviderManager:pool)
let configuration = AWSServiceConfiguration(region:.USEast1, credentialsProvider:credentialsProvider)
我也无法通过我的应用访问任何DynamoDB数据。
I also cannot access any DynamoDB data through my app.
基于控制台的输出,尽管我不确定登录过程,但注册过程似乎可以正常运行。我突然想到将区域从存储DynamoDB资源的EU-West-1更改为US-East-1。为了解决此更改,我重复了最初允许我的应用访问DynamoDB的相同步骤:
Based on the console output, the registration process seems to work correctly, although I'm unsure about the sign-in process. It occurred to me that I had changed the region from EU-West-1, where the DynamoDB resources were stored, to US-East-1. In order to account for this change, I repeated the same steps I had intially taken to allow my app to access DynamoDB:
- 我创建了Auth和Unauth角色,它们都具有与以前使用的角色相同的操作权限,但是使用的是EU-West-1资源。
- 我将这些角色设置为用户池I
如果它有所作为,我应该注意,在未经身份验证的角色和经过身份验证的角色下设置注册时创建。我没有使用我链接的示例项目中概述的完全相同的登录过程。相反,我使用了显式登录过程,如下所示:
In case it makes a difference, I should note that I did not use the exact same sign-in process outlined in the example project I linked. Instead, I used the explicit sign in process, like so:
let name = usernameField.text!
let user = pool!.getUser(name)
lock()
user.getSession(name, password: passwordField.text!, validationData: nil, scopes: nil).continueWithExecutor(AWSExecutor.mainThreadExecutor(), withBlock: {
(task:AWSTask!) -> AnyObject! in
if task.error != nil {
self.sendErrorPopup("ERROR: Unable to sign in. Error description: " + task.error!.description)
} else {
print("Successful Login")
dispatch_async(dispatch_get_main_queue()){
self.performSegueWithIdentifier("mainViewControllerSegue", sender: self)
}
}
self.unlock()
return nil
})
方法 lock(), unlock()和 sendErrorPopup()都是我制作的与UI相关的严格方法,因此登录过程的开始和结束在视觉上都更加清晰。控制台输出始终显示成功登录,但是我想知道这段代码是否确实正确地登录了用户,因为错误消息听起来好像没有正确授权用户。
The methods lock(), unlock(), and sendErrorPopup() are strictly UI-related methods that I made so that the beginning and end of the sign-in process would be more visually clear. The console output always reads "successful login", but I am wondering if this code actually signs the user in correctly, since the error message makes it sound like the user might not be properly authorized.
我想到可能没有正确设置US-West表,但是即使尝试创建新表,我也遇到相同的问题,因此我认为这不是问题。就授予用户访问DynamoDB的权限而言,我可能还缺少一些步骤吗?使用AWS Cognito的新Beta用户池系统是否更改了此过程?
It occurred to me that the US-West tables might not have been set up correctly, but I experience the same problem even when trying to create new tables, so I don't think that's the issue. Are there steps I might have missed as far as giving the user access to DynamoDB? Has the process changed with AWS Cognito's new beta user pool system?
编辑2:
我修复了先前的问题问题,有一段时间,我的应用程序运行正常。但是,当我登录时,它突然停止加载DynamoDB数据,并显示错误消息:无效的登录令牌。无法传递Cognito令牌。当前,我的 AppData 代码如下所示:
I fixed the previous issue, and for a while, my app was working fine. However, it has suddenly stopped loading DynamoDB data when I sign in, and shows the error message: invalid login token. Can't pass in a Cognito token. Currently, my AppData code looks like this:
let serviceConfiguration = AWSServiceConfiguration(region: .USEast1, credentialsProvider: nil)
let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId:APP_CLIENT_ID, clientSecret: APP_CLIENT_SECRET, poolId: USER_POOL_ID)
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPoolWithConfiguration(serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: USER_POOL_NAME)
let pool = AWSCognitoIdentityUserPool(forKey:USER_POOL_NAME)
pool.delegate = self
self.storyboard = UIStoryboard(name: "Main", bundle: nil)
self.credentialsProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: IDENTITY_POOL_ID, identityProviderManager:pool)
let manager = IdentityProviderManager(tokens: [NSString:NSString]())
self.credentialsProvider = AWSCognitoCredentialsProvider(regionType: .USEast1, identityPoolId: IDENTITY_POOL_ID, identityProviderManager: manager)
let configuration = AWSServiceConfiguration(region:.USEast1, credentialsProvider:credentialsProvider!)
AWSServiceManager.defaultServiceManager().defaultServiceConfiguration = configuration
...并且我的登录代码如下:
...and my sign-in code looks like this:
if locked { return }
trimRegistrationValues()
let name = usernameField.text!
let user = pool!.getUser(name)
lock()
user.getSession(name, password: passwordField.text!, validationData: nil, scopes: nil).continueWithExecutor(AWSExecutor.mainThreadExecutor(), withBlock: {
(task:AWSTask!) -> AnyObject! in
if task.error != nil {
self.sendErrorPopup("ERROR: Unable to sign in. Error description: " + task.error!.description)
} else {
print("Successful Login")
let loginKey = "cognito-idp.us-east-1.amazonaws.com/" + USER_POOL_ID
var logins = [NSString : NSString]()
self.credentialsProvider!.identityProvider.logins().continueWithBlock { (task: AWSTask!) -> AnyObject! in
if (task.error != nil) {
print("ERROR: Unable to get logins. Description: " + task.error!.description)
} else {
if task.result != nil{
let prevLogins = task.result as! [NSString:NSString]
print("Previous logins: " + String(prevLogins))
logins = prevLogins
}
logins[loginKey] = name
let manager = IdentityProviderManager(tokens: logins)
self.credentialsProvider!.setIdentityProviderManagerOnce(manager)
self.credentialsProvider!.getIdentityId().continueWithBlock { (task: AWSTask!) -> AnyObject! in
if (task.error != nil) {
print("ERROR: Unable to get ID. Error description: " + task.error!.description)
} else {
print("Signed in user with the following ID:")
print(task.result)
dispatch_async(dispatch_get_main_queue()){
self.performSegueWithIdentifier("mainViewControllerSegue", sender: self)
}
}
return nil
}
}
return nil
}
}
self.unlock()
return nil
})
在我的应用程序正常工作与不正常工作之间,我没有进行任何更改。在测试密码重置功能时,确实导致了密码重置次数过多错误,但是即使在我的应用上创建了新的用户帐户后,该问题仍然存在,因此我认为不是原因。我是否正确处理登录?如果是这样,我应该在哪里寻找导致此问题的其他原因?
I haven't changed anything between my app working and not working. I did cause a "too many password resets" error while testing the password reset functionality, but the issue persisted even when I created a new user account on my app, so I don't think that's the cause. Am I handling login correctly? If so, where should I look for other possible causes to this issue?
推荐答案
您在其中设置ID令牌的密钥登录名应采用 cognito-idp。< region> .amazonaws.com /< YOUR_USER_POOL_ID> 的格式,而不是您的USER_POOL_NAME。 此博客以及链接
The key that you set the ID token against in logins should be of the format cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID> not your USER_POOL_NAME. This blog along with the link in your post for our dev guide should explain the steps and code you need.
关于过时的登录字典的解决方案,您需要使用此构造函数来创建凭证提供者。这里的 identityProviderManager 应该是 AWSIdentityProviderManager协议和 logins 方法应将您的提供商名称的字典映射返回给令牌。凭证提供者每次需要身份提供者令牌时都会调用此方法。请查看此答案以了解更多信息。
As for the solution to deprecated logins dictionary, you need to use this constructor to create the credentials provider. The identityProviderManager here should be an implementation of AWSIdentityProviderManager Protocol and the logins method should return the dictionary mapping for your provider name to the token. The credentials provider will call this method every time it needs the identity provider token. Check this answer for more details.
这篇关于将DynamoDB与Cognito一起使用:令牌不是来自此身份池的受支持提供商的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
