如何在给定AWS Cognito access_token的情况下获取AWSCredentials [英] How to get AWSCredentials given a AWS Cognito access_token
问题描述
在一个android应用中,一旦用户完成了对一个服务器的身份验证,我就会从 http://< domain> .auth.< region> .amazoncognito.com/login 收到一个JWT access_tokenCognito用户池.该用户池已链接到Cognito身份池.
In an android app, I receive a JWT access_token from http://<domain>.auth.<region>.amazoncognito.com/login once the user is done authenticating to a Cognito User Pool. That User Pool is linked to a Cognito Identity Pool.
我应该使用那个access_token调用什么API以获得 AWSCredentials 对象.
What API should I call with that access_token to get an AWSCredentials object.
我找到的最接近的是 AssumeRoleWithWebIdentity ,但这是STS API,我在网上阅读的一些内容似乎建议开发人员不要直接使用STS,而要依靠Cognito.
The closest one I found would be AssumeRoleWithWebIdentity, but that is an STS API, and some of what I've read on the web seems to recommend developers not use STS directly but rely on Cognito.
此外,我不希望我需要指定角色名称的API.Cognito身份池已配置为为经过身份验证的用户提供特定角色.并且AssumeRoleWithWebIdentity将角色名称作为API的输入.因此,这看起来不正确.
Moreover, I do not expect the API I need to require specifying a role name. Cognito Identity Pools are already configured to give authenticated users a specific role. And AssumeRoleWithWebIdentity takes a role name as input to the API. Hence that does not look like right.
我查看了 Cognito身份池API参考,并且找不到采用access_token并返回AWS凭证的API.
I've looked at Cognito Identity Pool API Reference, and can't find an API that takes access_token and return AWS credentials.
更新:以下使用 GetCredentialsForIdentity 的答案抛出 ResourceNotFoundException ,表示无法找到指定的IdentityId.
UPDATE:
The following answer which uses GetCredentialsForIdentity throws ResourceNotFoundException saying it cannot find the specified IdentityId.
string access_token = ...
var jwtAccessToken = System.IdentityModel.Tokens.Jwt.JwtSecurityToken(access_token);
var client = new AmazonCognitoIdentityClient(new AnonymousAWSCredentials(),REGION);
var response = await client.GetCredentialsForIdentityAsync(new GetCredentialsForIdentityRequest
{
IdentityId=String.Format("{0}:{1}", REGION, jwtAccessToken.id),
Logins=new Dictionary<string,string>
{
{String.Format("cognito-idp.{0}.amazonaws.com/{1}", REGION, USER_POOL_ID),
access_token}
}
});
推荐答案
经过大量调查,我找到了答案.
After much investigation, I found the answer.
1-需要一个 id_token 而不是 access_token 来向Cognito进行身份验证,这听起来可能会引起误解.AWS的文档,其中说您需要拥有名称/电子邮件等用户属性时要求输入id_token,而在您不需要该信息而只想进行身份验证时要求输入access_token是错误的,或者至少具有误导性
1- One needs an id_token not an access_token to authenticate to Cognito, as misleading as this might sound. AWS's documentation which says you ask for id_token when you need to have user attributes like name / email etc... and ask for an access_token when you don't need that information and just want to authenticate is wrong, or at the very least misleading.
2-这是使用id令牌获取AWS凭证的方法:
2- And here's how you use an id-token to get AWS Credentials:
var credentials = CognitoAWSCredentials(<identity pool Id>, region);
credentials.AddLogin(
"cognito-idp.<region>.amazonaws.com/<user_pool_id>",
id_token); // the raw token
请注意,您不需要 AssumeRoleWithIdentity 或 GetCredentialsWithIdentity ,甚至不需要 AmazonCognitoIdentityClient .
Note that you do not need AssumeRoleWithIdentity, or GetCredentialsWithIdentity, you do not even need a AmazonCognitoIdentityClient.
这篇关于如何在给定AWS Cognito access_token的情况下获取AWSCredentials的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
