在Amazon Cognito中，aws.cognito.signin.user.admin范围是什么意思? [英] What does the `aws.cognito.signin.user.admin` scope mean in Amazon Cognito?

问题描述

Amazon Cognito具有许多系统保留的作用域:

Amazon Cognito has a number of system-reserved scopes:

• openid
• 电子邮件
• 电话
• 个人资料
• aws.cognito.signin.user.admin

但没有记录他们可以访问的内容.

But doesn't document what they give access to.

前三个是不言自明的.我希望个人资料指的是用户个人资料.

The first 3 are fairly self-explanatory. I would expect profile to mean the user profile.

通过反复试验发现，我需要 aws.cognito.signin.user.admin 才能使用Amazon Cognito

I've found by trial-and-error that I need aws.cognito.signin.user.admin to use the Amazon Cognito Get User API call. I would have expected this to be profile instead, but OK, fine.

我关心的是 else aws.cognito.signin.user.admin 可能会做什么.如果我让第三方客户请求此范围，我可以给他们访问什么权限?

What I'm concerned about is what else aws.cognito.signin.user.admin might do. If I let 3rd party clients request this scope, what am I giving them access to?

推荐答案

aws.cognito.signin.user.admin 范围使您可以访问所有可以使用access访问的用户池API.单独的令牌(此处有完整的文档).

The aws.cognito.signin.user.admin scope gives you access to all the User Pool APIs that can be accessed using access tokens alone (full documentation here).

请注意，这并不意味着用户可以对所有AWS API进行任意访问(可能像IAM角色一样)，但是如果该API调用的请求语法包括"AccessToken":"string"，那么使用 aws.cognito.signin.user.admin 授予的访问令牌将可以调用它.

Note that this doesn't mean that the user would have arbitrary access to all the AWS API (like an IAM role might), but that if the request syntax for that API call includes "AccessToken": "string", then an access token granted using aws.cognito.signin.user.admin will be able to call it.

通常，像这样授权的Cognito UserPools API(而且是 Cognito UserPool API)允许您修改自己的UserPools配置文件中的内容(即，请勿以 Admin 并影响单个配置文件):

As a rule, the Cognito UserPools API's (and it's only Cognito UserPool APIs) that authorise like this are ones that allow you to modify something on your own UserPools profile (i.e. do not start with Admin and affect a single profile):

通过API一目了然，这些操作是(

At a glance through the API, these actions are (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html):

• AssociateSoftwareToken
• ChangePassword
• ConfirmDevice
• DeleteUser
• DeleteUserAttributes
• ForgetDevice
• GetDevice
• GetUser
• GetUserAttributeVerificationCode
• GlobalSignOut
• ListDevices
• SetUserMFAPreference
• SetUserSettings
• UpdateDeviceStatus
• UpdateUserAttributes
• VerifySoftwareToken
• VerifyUserAttribute

这篇关于在Amazon Cognito中，aws.cognito.signin.user.admin范围是什么意思?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！