AWS Cognito Pre-Token Generation不会向ID Token添加自定义声明(具有ALB设置+ Auth Code流) [英] AWS Cognito Pre-Token Generation not adding custom claims to ID Token (with ALB setup + Auth Code flow)

问题描述

我正在使用令牌生成前"功能向Cognito的ID令牌添加自定义声明.触发.

I'm adding custom claims to Cognito's ID token using the "Pre Token Generation" trigger.

lambda被触发，但是颁发的ID令牌不包括我添加的声明.我想念什么吗?

The lambda is triggered, but the issued ID Token doesn't include the claims I added. Am I missing something?

• 将OAuth 2.0与授权代码流一起使用
• 我的客户端应用程序位于负载均衡器(alb)的后面.alb与Cognito交互以获得ALBSessionCookie形式的访问+ ID令牌.与[0]非常相似
• 要获取ID令牌，客户端使用ALBSessionCookie调用自定义端点到我的后端.后端使用该Cookie向用户返回已解码的ID令牌.我希望这是ID令牌，其中应包含自定义声明.

[0] https://www.exampleloadbalancer.com/auth_detail.html

格式取自如果我不能使用ALB进行此操作，有什么解决方法?一些想法:

If I can't make this work with ALB, what are some workarounds? Some ideas:

• 直接致电Cognito以获取ID令牌(以某种方式)，希望这会触发lambda发出具有自定义声明的JWT
• 通过AmplifyJS调用Cognito

推荐答案

是的，ALB不能那样工作， Lambda 触发器自定义的ID令牌是您在用户进行身份验证时获得的ID令牌.有两种选择.

Yeah the ALB doesn't work that way, the ID Token that Lambda trigger customizes is the one you get when a user Authenticates. There are a couple of options.

自定义用户属性

侵入性最小的IMO，如果您可以将它们作为 Cognito 中的自定义属性，而不是在 Lambda 触发器中添加这些属性，那么我相信这些会在令牌.您可以在每次成功的授权时同步这些属性.那可能满足您的要求.

The least invasive IMO if instead of adding these attributes in the Lambda trigger, you could have them as custom attributes in Cognito, these I do believe will be in this token. You can sync these attributes at each successful Authorization. That may meet your requirements.

API GW

您可以将 API GW 放在LB和APP之间或LB的前面.API GW确实为您提供了一个层，您可以在其中进行所有这些工作以及通过自定义标头，令牌等来做更多的事情.例如，您可以拥有一个Lambda授权程序，该授权程序读取此访问令牌并返回 context 您可以在集成请求中将其引用回后端.尽管您可以放心地在auth响应上设置较大的TTL，因为您的 LB 已经在进行Auth了，并且只需要一些额外的属性，但这会涉及更多的问题，并且至少会增加应用程序的延迟.您还可以进行重新设计，并将其全部放入 API GW 中，并获得所有提示，但您可能不需要它们.

You could put an API GW either between your LB and your APP or infront of your LB. The API GW does give you a layer in which you can do all this stuff and more with customizing headers, tokens etc. For example you could have a Lambda Authorizer which reads this access token, and returns a context which you can reference in your integration requests back to your backend. It's a bit more involved and will add at least some latency to your app, although you can safely have a large TTL on your auth response because your LB is already doing Auth and you only want some extra attributes. You could also do a re-design and put this all in API GW and get all the bells and whistles it has but you might not need them.

但是，是的，如果可能的话，使用第一个选项最容易，因为这将不需要您重新设计，而只需将属性名称更改为 custom:... .

But yeah probably easiest to use the first option if possible as that won't require you to do a redesign and you will just need to change your attribute names to custom:....

这篇关于AWS Cognito Pre-Token Generation不会向ID Token添加自定义声明(具有ALB设置+ Auth Code流)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！