卓:如何根据Cognito Pool对用户进行正确身份验证并将其用于Cognito联合身份? [英] AWS: How to properly authenticate a user against Cognito Pool and use it for Cognito Federated Identity?

问题描述

我正在开发一个使用两个身份验证提供程序的应用程序:

I am working on an app which will use two authentication providers:

• Facebook
• 认知用户池

对于前者，我没有任何问题，一切都按预期进行.但是，在使用Cognito用户池设置身份验证时，我遇到了另一堵墙.我正在使用AWS开发工具包2.4.9，XCode 8和Swift 3.

With the former, I have no issues, everything works as intended. However, while setting up the authentication with Cognito User Pools, I am hitting one wall after the other. I am using AWS SDK 2.4.9, XCode 8 and Swift 3.

我知道已经提出了很多问题，并且有很多指南".但是，其中许多都是针对过时的文档和SDK的.甚至官方的AWS文档也已过时.

I am aware that there are a lot of questions have already been asked, and a lot of "guides" are out there. However, a lot of them are answered/made for outdated docs and SDK. Even the official AWS documentation is out of date.

我要通过的身份验证步骤如下:

The authentication steps that I am going through are as follows:

1.配置初始的认知池

///  Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: nil)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration

/// Create a pool configuration and register it for a specific key to use later
let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: appClientID, clientSecret: appClientSecret, poolId: poolID)  
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPool(with: poolConfiguration, forKey: poolKey)

/// Create a pool for a specific predefined key
pool = AWSCognitoIdentityUserPool(forKey: poolKey)

2.根据Cognito用户池对用户进行身份验证

  user.getSession(username, password: password, validationData: nil).continue({ (task) -> AnyObject? in

        if let error = task.error as? NSError {
            completionHandler(error)
            return nil
        }

        let session = task.result! as AWSCognitoIdentityUserSession
        let token = session.idToken!.tokenString

        let tokens : [NSString:NSString] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolID!)" as NSString : token as NSString]
        let identityProvider = CognitoPoolIdentityProvider(tokens: tokens)

        let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .usEast1, identityPoolId: self.identityPoolID, identityProviderManager: identityProvider)

        ///  Set the default service configuration
        let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: credentialsProvider)
        AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration

        credentialsProvider.getIdentityId().continue({ (task) -> AnyObject? in
            completionHandler(task.error as NSError?)
            return nil
        })

        return nil
    })

3. CognitoPoolIdentityProvider类

    class CognitoPoolIdentityProvider : NSObject, AWSIdentityProviderManager {

      var tokens : NSDictionary = [:]

      init(tokens: [NSString : NSString]) {
           self.tokens = tokens as NSDictionary
      }

      @objc func logins() -> AWSTask<NSDictionary> {
           return AWSTask(result: tokens)
      }

    }

4.将数据存储到Cognito联合身份

所有这些都通过了，没有任何错误.但是，现在我想将从Cognito池中提取的数据存储到特定的Cognito联合身份数据集，所以我在调用:userProfile.synchronize().continue，并且得到以下结果:

All this passes without any errors. However, now I want to store the data that I have pulled from Cognito Pool to a specific Cognito Federated Identity Dataset, so I am calling: userProfile.synchronize().continue and I am getting the following results:

getCredentialsWithCognito:authenticated:customRoleArn:] _ block_invoke | GetCredentialsForIdentity失败.错误是[错误 Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8(null)" UserInfo = {__ type = NotAuthorizedException，message =访问身份 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'是禁止的.}]

getCredentialsWithCognito:authenticated:customRoleArn:]_block_invoke | GetCredentialsForIdentity failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden.}]

2016-11-10 10:27:16.947365 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误] AWSIdentityProvider.m行:304 | __52- [AWSCognitoCredentialsProviderHelper getIdentityId] _block_invoke.255 | GetId失败.错误是[错误 Domain = com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8(null)" UserInfo = {__ type = NotAuthorizedException，message =未经身份验证 此身份池不支持访问.}] 2016-11-10 10:27:16.947726 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]

2016-11-10 10:27:16.947365 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error] AWSIdentityProvider.m line:304 | __52-[AWSCognitoCredentialsProviderHelper getIdentityId]_block_invoke.255 | GetId failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.}] 2016-11-10 10:27:16.947726 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error]

AWSCredentialsProvider.m行:577 | __44- [AWSCognitoCredentialsProvider凭据] _block_invoke.352 |无法刷新.错误是[错误 Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8(null)" UserInfo = {__ type = NotAuthorizedException，message =未经身份验证 此身份池不支持访问.}] 2016-11-10 10:27:16.948452 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]

AWSCredentialsProvider.m line:577 | __44-[AWSCognitoCredentialsProvider credentials]_block_invoke.352 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.}] 2016-11-10 10:27:16.948452 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error]

AWSCognitoDataset.m行:352 | __30- [AWSCognitoDataset syncPull:] _ block_invoke |无法列出记录:错误 Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8(null)" UserInfo = {__ type = NotAuthorizedException，message =未经身份验证 此身份池不支持访问.} [10:27:16]: saveSettings AWS任务错误:操作无法完成. (com.amazonaws.AWSCognitoIdentityErrorDomain错误8.)

AWSCognitoDataset.m line:352 | __30-[AWSCognitoDataset syncPull:]_block_invoke | Unable to list records: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.} [10:27:16]: saveSettings AWS task error: The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)

更改日志级别后，我可以看到以下内容:

After changing the log level, I can see the following:

//请求

2016-11-10 10:33:08.095735 xxxxxxxx [19874:5616142] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:543 | -[AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] |请求正文:{"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}

2016-11-10 10:33:08.095735 xxxxxxxx[19874:5616142] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m line:543 | -[AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] | Request body: {"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}

//响应

2016-11-10 10:33:08.714268 xxxxxxxx [19874:5616154] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:553 | -[AWSURLSessionManager printHTTPHeadersForResponse:] |响应标头:{ 连接=保持活动状态"； 内容长度" = 129； "Content-Type" ="application/x-amz-json-1.1"; 日期="2016年11月10日，星期四，格林尼治标准时间"； ;" x-amzn-ErrorMessage"="禁止访问身份'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx'. "x-amzn-ErrorType" ="NotAuthorizedException:"; "x-amzn-RequestId" ="b0ac6fb0-a728-11e6-8413-1fdb846185bb"; }

2016-11-10 10:33:08.714268 xxxxxxxx[19874:5616154] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m line:553 | -[AWSURLSessionManager printHTTPHeadersForResponse:] | Response headers: { Connection = "keep-alive"; "Content-Length" = 129; "Content-Type" = "application/x-amz-json-1.1"; Date = "Thu, 10 Nov 2016 09:33:08 GMT"; "x-amzn-ErrorMessage" = "Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden."; "x-amzn-ErrorType" = "NotAuthorizedException:"; "x-amzn-RequestId" = "b0ac6fb0-a728-11e6-8413-1fdb846185bb"; }

上面的请求是GetID API调用.显然，它与来自AWS Docs的请求格式不匹配: http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html .

The above request is the GetID API call. Clearly, it does not match the request format from the AWS Docs: http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html.

根据AWSServiceManager类，我们有以下内容:

According to the AWSServiceManager class we have this:

/**
 The default service configuration object. This property can be set only once, and any subsequent setters are ignored.
 */
@property (nonatomic, copy) AWSServiceConfiguration *defaultServiceConfiguration;

这意味着设置新服务配置是没有意义的，但是我看不到其他方法来刷新通过Cognito用户池身份验证获得的凭据.

This means that setting the new service configuration is pointless, but I see no other way to refresh the credentials that I have obtained through the Cognito User Pool authentication.

就是这样.有什么想法吗?

That's pretty much it. Any ideas?

谢谢

推荐答案

似乎是由于您得到的错误

It seems from the error you are getting

  Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden

您在第一部分中获得的凭据无法访问您进行同步调用的身份，因此您的身份可能已更改.

that the credentials that you obtained in the first part cannot access the identity you have made the synchronize call with so your identity probably changed.

这篇关于卓:如何根据Cognito Pool对用户进行正确身份验证并将其用于Cognito联合身份?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！