令牌不是来自此身份池的受支持提供者 [英] Token is not from a supported provider of this identity pool Amazon Mobile Hub Android

问题描述

当我单击Google登录时，我会使用以下代码在onActivityResult方法中获得令牌:

When I click Google Login I'm getting Token in onActivityResult method using the below code:

 GoogleSignInAccount account = result.getSignInAccount();
 String token = account.getIdToken();

 credentialsProvider  = new CognitoCachingCredentialsProvider(
            Login.this, // Context
            "My Pool ID", // Identity Pool ID
            Regions.US_EAST_1 // Region
    );

我已使用管理联合身份在Cognito中添加了Google客户端ID. 我已经交叉检查了IAM account.google.com中的所有密钥，一切似乎都很完美.

I have added the Google client ID in Cognito using manage Federated Identities. I have cross checked all the keys in IAM accounts.google.com, everything seems to be perfect.

 final Map<String, String> logins = new HashMap<String, String>();
 logins.put("accounts.google.com", account.getIdToken());

 credentialsProvider.setLogins(logins);
 credentialsProvider.refresh();

当我尝试使用以下代码获取身份ID时，出现错误-令牌不是来自此身份池的受支持提供商. 可能是什么错误?

When I try to get the identity ID using the below code I'm getting error - Token is not from a supported provider of this identity pool. What could be the mistake?

 credentialsProvider.getIdentityId();

推荐答案

对于我来说，我的IAM身份提供程序的account.google.com后面有一个斜杠，如下所示:

In my case, I had a trailing slash in my IAM identity provider for accounts.google.com, like this:

带有斜杠的那个是错误的；没有尾部斜杠的那个可以正常工作.有趣的是，AWS会为两者获取相同的指纹.

The one with the trailing slash is wrong; the one without the trailing slash works correctly. It's interesting that AWS will fetch the same thumbprint for both of those.

在AWS IAM控制台的帐户">提供者">"accounts.google.com"下，将"com.example.yourstuff(由Google Service自动创建)的Android客户端"的密钥添加为受众群体.看起来像"222222222222-x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8.apps.googleusercontent.com"(然后，在调试时，请继续将所有其他键作为听众条目；您可以稍后再查找并找出可以删除的键)

In the AWS IAM console under Accounts > Providers > accounts.google.com, add the key for "Android client for com.example.yourstuff (auto created by Google Service)" as an audience. It looks something like "222222222222-x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8x8.apps.googleusercontent.com" (Then, when you're debugging, go ahead and all the rest of the keys as audience entries; you can go back later and figure out which ones you can remove.)

在对GoogleSignInOptions.Builder的调用中，您需要使用Goole API> API管理器>凭据页面上OAuath 2.0客户端ID下的Web应用程序密钥对#requestIdToken进行调用:

In the call to GoogleSignInOptions.Builder, you need a call to #requestIdToken using your web application key under OAuath 2.0 client IDs on the Goole APIs > API Manager > Credentials page:

GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
  .requestIdToken("999999whateverxxxx.apps.googleusercontent.com")
  .build()

(令牌可以被缓存；如果您通过requestIdToken调用运行应用程序，然后删除requestIdToken调用，然后再次运行，您仍然可以从对GoogleSignInAccount对象的getIdToken()调用中获得结果.)

(The token can get cached; if you run your app with the requestIdToken call, then remove the requestIdToken call, and run again, you can still get a result from a call to getIdToken() on the GoogleSignInAccount object.)

google登录代码最终将为您提供GoogleSignInAccount对象.在该对象上调用#getIdToken以获取将要放入登录哈希中的字符串(在我的情况下为83个字符):

The google login code will eventually give you a GoogleSignInAccount object. Call #getIdToken on that object to get a string (in my case, it's 83 chars) that you're going to put in the login hash:

  // pseudocode...
  private fun fn(x: GoogleSignInAccount) {
    val token = x.idToken // getIdToken if you're still using Java
    val logins = HashMap<String, String>()      
    logins.put("accounts.google.com", token);
    credentialsProvider.logins = logins
  ...

如果您没有在IAM>提供者> account.google.com中列出正确的密钥，则会出现NotAuthorizedException(Invalid login token. Incorrect token audience.)例外.

If you don't have the right key listed in IAM > Providers > accounts.google.com, you'll get a NotAuthorizedException(Invalid login token. Incorrect token audience.) exception.

如果您将额外的斜杠添加到account.google.com/，则会获得NotAuthorizedException(Token is not from a supported provider of this identity pool.)

If you added that extra slash to accounts.google.com/, you'll get a NotAuthorizedException(Token is not from a supported provider of this identity pool.)

如果您尝试像这样将account.google.com/添加到登录哈希中(不要这样做，请改改IAM身份提供商名称):

If you try to add accounts.google.com/ to the login hash like this (don't do this, fix the IAM identity provider name instead):

logins.put("accounts.google.com/", token);

您将获得NotAuthorizedException(Invalid login token. Issuer doesn't match providerName)例外.

如果使用了错误的令牌，则会出现NotAuthorizedException (Invalid login token. Token signature invalid.)异常.

If you use the wrong token you'll get a NotAuthorizedException (Invalid login token. Token signature invalid.) exception.

(我怀疑还有很多其他失败的方法；这些只是我发现的方法.)

(I suspect there are many other ways to fail; these are just the one's I've found.)

这篇关于令牌不是来自此身份池的受支持提供者的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！