如何将API网关与Cognito联合身份和Cognito用户池集成 [英] How to integrate API Gateway with Cognito Federated Identity and Cognito User Pools
问题描述
在AWS中,我建立了一个API网关,该网关调用Lambda函数.用户通过登录与Cognito联合身份池关联的Cognito用户池来获得访问权限,并且关联的IAM角色包含API调用权限. API网关方法是一个POST请求.
In AWS, I have built an API gateway which invokes a Lambda function. Users gain access by logging in to a Cognito User Pool associated with a Cognito Federated Identity Pool and the associated IAM roles contain API invoke permissions. The API Gateway method is a POST request.
如果我将用户池用作API网关的授权者,则可以通过我的javascript网络应用中的ajax请求成功触发Lambda函数-但是请注意,这会向池中的每个用户授予相同的访问权限.我正在尝试为不同的方法创建不同的基于Cognito用户组的访问权限,并且由于在使用Cognito用户池作为授权方时显然无法为每种方法指定不同的用户组,因此我现在可以通过以下方式使用AWS_IAM保护API: API授权者.但是,如果我选择AWS_IAM作为授权者,则会返回:
If I use the User Pool as the authorizer of the API Gateway I am able to successfully trigger the Lambda function via an ajax request in my javascript web app - note though, this grants the same access to every user in the pool. I am trying to create different Cognito User Group based access for different methods and because I apparently cannot specify a different User Group for each method when using the Cognito User Pool as the authorizer, I am now seeing if I can secure the API using AWS_IAM as the API authorizer. However, if I select AWS_IAM as the authorizer I get back:
所请求的资源上不存在"Access-Control-Allow-Origin"标头.因此,不允许访问原始空".响应的HTTP状态码为403.
可能是什么问题?在这种情况下,如何正确设置CORS?我的ajax请求在客户端JavaScript中应该是什么样的? Cognito是否会为我签名,还是我需要对标题做些事情?
使用Cognito用户池时,我拥有:
When I used the Cognito User Pool I had:
$.ajax({
method: 'POST',
url: _config.api.invokeUrl + '/savesurv',
headers: {
Authorization: authToken
},
data: JSON.stringify(Data),
contentType: 'application/json',
success: callback,//console.log("complete"),
error: function ajaxError(jqXHR, textStatus, errorThrown) {
console.error('Error requesting save: ', textStatus, ', Details: ', errorThrown);
console.error('Response: ', jqXHR.responseText);
alert('An error occured when requesting to save:\n' + jqXHR.responseText);
}
});
在这种情况下可以使用,当使用AWS_IAM作为API网关的授权时,是否需要更改它?
This worked in that case, do I need to change it when using AWS_IAM as authorization for the API Gateway?
推荐答案
此处的问题是,当您更改为使用AWS_IAM作为API网关方法的授权者时,请求现在必须包含特定的Amazon标头,而不仅仅是Authorization您指定的标题.
The problem here is that when you changed to use AWS_IAM as the authorizer for your API Gateway method the request must now contain specific amazon headers and not just Authorization header as you have specified.
这称为已签名的Sigv4请求,有关如何创建该请求的更多信息,请参见:
This is called a signed Sigv4 request and more information on how to create the request can be found here:
https://docs.aws.amazon.com/general/latest/gr/sigv4_signing.html
因此,要回答您的问题,Cognito将不会处理签名,您确实需要执行其他步骤,或者获得一个框架来为您处理.
So to answer your question, Cognito will not take care of the signing and you do have to do additional steps, or get a framework to handle that for you.
让我工作的方法是使用Amplify( https://aws-amplify.github. io/)生成我的API请求,此框架将为您签名请求.
The way I got this to work was to use Amplify (https://aws-amplify.github.io/) to generate my API requests and this framework will take care of signing the requests for you.
我很欣赏这是一个高水平的答案,但是在这里进入Amplify可能会引起您一些疑问.
I appreciate that is quite a high level answer but to go into Amplify here would be a bit off topic for you question.
It's worth noting that if you decode your JWT ID Token (the one that you are passing as authToken) using a tool such as https://jwt.io/ it contain details of the groups which your user is in which may give you something to work with. I'm assuming that API Gateway will validate the authenticity of the token so you can rely on the values it contains. Then in API Gateway you can get access to this detail.
这篇关于如何将API网关与Cognito联合身份和Cognito用户池集成的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
