如何从通过Amazon Cognito用户池进行身份验证的HTTP API Gateway + Lambda调用中获取USER的详细信息 [英] How to get the USER details from a call to HTTP API Gateway + Lambda that is authenticated with an Amazon Cognito User Pool
问题描述
用户登录到Amazon Cognito,并且应用程序/Web会获得一个访问令牌".在调用API网关(HTTP API或REST API)时使用.
API网关配置为使用Cognito用户池作为授权者,因此如果访问令牌"为可以将呼叫传递给Lambda.
那么,我怎么知道(在Lambda内部)用户是谁在打电话,他/她的详细信息是什么?
然后像这样调用API(GET/POST/其他取决于您如何定义API)
#curl --request GET --header授权:$ {TOKEN}"" $ {GATEWAY_URL}" 您会收到一堆文字.将其粘贴到
唯一需要做的工作是配置用户池和API网关(HTTP或REST类型)来为您执行身份验证.
如果您想知道从哪里获得TOKEN的值,则将其编码在成功登录Cognito后调用的URL上.
请注意,您可能会在响应URL中获得2个令牌ID_TOKEN和ACCESS_TOKEN.要获取用户详细信息,您需要使用ID_TOKEN调用API.
USER logs in in Amazon Cognito and the App/Web gets an "Access Token" that is used whenever it calls API Gateway (HTTP API or REST API).
The API Gateway is configured to use Cognito User Pool as Authorizer, so if the "Access Token" is valid the call can pass to Lambda.
So, how do I know (inside Lambda) who is the user doing the calls and what are his/her details?
This answer set me on an easy path, but I realized there is an easier one.
If you dump the content received by the Lambda (python code) like this.
And then call the API like this (GET/POST/other depends on how you defined your API)
# curl --request GET --header "Authorization: ${TOKEN}" "${GATEWAY_URL}"
You get a bunch of text. Paste it on https://jsonformatter.curiousconcept.com/ to format it nicely and you will see that within the event you have lots of info like
{
"version":"2.0",
"routeKey":"ANY /*****",
"rawPath":"/default/****",
"rawQueryString":"",
"headers":{
"accept":"*/*",
"authorization":"eyJraW...QiOi",
"content-length":"0",
"host":"*******.execute-api.eu-west-1.amazonaws.com",
"user-agent":"curl/7.52.1",
"x-amzn-trace-id":"Root=1-5ff1***eee7347",
"x-forwarded-for":"**.**.243.124",
"x-forwarded-port":"443",
"x-forwarded-proto":"https"
},
"requestContext":{
"accountId":"****",
"apiId":"*****",
"authorizer":{
"jwt":{
"claims":{
"at_hash":"-pO***Eg",
"aud":"1jk***0n0",
"auth_time":"160***928",
"cognito:username":"357d***a77de4d",
"email":"***@gmail.com",
"email_verified":"true",
"event_id":"19f7e***dc0e80",
"exp":"16***28",
"iat":"16***928",
"iss":"https://cognito-idp.eu-west-1.amazonaws.com/eu-west-1_***8z",
"name":"UserName",
"sub":"357***77de4d",
"token_use":"id"
},
"scopes":"None"
}
},
"domainName":"***.execute-api.eu-west-1.amazonaws.com",
"domainPrefix":"***",
"http":{
"method":"GET",
"path":"/default/***",
"protocol":"HTTP/1.1",
"sourceIp":"***",
"userAgent":"curl/7.52.1"
},
"requestId":"Yi***sA=",
"routeKey":"ANY /***",
"stage":"default",
"time":"02/Jan/2021:23:45:15 +0000",
"timeEpoch":1609631115197
},
"isBase64Encoded":false
}
That is, all the user details are there and you don't have to do anything to get them.
In particular, these 2 are here
event["requestContext"]["authorizer"]["jwt"]["claims"]["email"]
event["requestContext"]["authorizer"]["jwt"]["claims"]["name"]
This has even better implications.
You can leverage on HTTP API Gateway + Lambda for:
- Validation of an Access TOKEN (if not valid or expired you get an 'Unauthorized' response)
- Extraction of token scopes / details
All this within 130ms (of which you only pay for 3ms). No loading libraries, no manipulating data, no manual decoding, no bulls**t.
The only required work is to configure the User Pool and API Gateway (HTTP or REST type) to do the Authentication for you.
If you wonder where you get the value of TOKEN, it is encoded on the URL that is called after a successful login to Cognito.
Note that you may get in the response URL 2 tokens, ID_TOKEN and ACCESS_TOKEN. To get the user details you need to call the API using the ID_TOKEN.
这篇关于如何从通过Amazon Cognito用户池进行身份验证的HTTP API Gateway + Lambda调用中获取USER的详细信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
