这是否可以使用 cognito 的授权代码授权类型作为 api-gateway 中的授权方? [英] Is this possible to use cognito's Authorization code grant type as a authorizer in the api-gateway?
问题描述
我想知道在保护 API 网关方面是否有任何方法或可能性将授权代码授予类型实现为 Authroizer?正如搜索的那样,最推荐使用授权代码"授权类型来保护 API.我发现下面的文章解释了使用认知客户端凭据"作为授权类型来保护 api 网关,
I would like to know is there any way or possibility to implement authorization code grant type as Authroizer in securing API gateway? As is searched, 'Authorization code' grant type is most recommended for securing API. i found below article which explain's using cognito 'client credentials' as grant type to secure the api gateway,
我尝试了类似的方法来创建 API 网关,我在其中完成了以下集成:
I tried the similar way to create an API gateway, where i have done following integration:
在 cognito 中创建了用户池UI 托管",授权类型为授权代码"
Created user pool 'UI Hosted' in cognito with the grant type - 'Authorization code'
添加资源服务器
选择默认范围,因为我不想添加任何新范围
Choosed default scopes as i don't want to add any new scope
关联回调uri
现在我可以访问登录页面进行注册和登录,并在回调uri中返回授权码"
Now iam able to access the login page to sign up and sign in and it return the 'Authorization code' in the call back uri
我创建了一个 API 并集成了一些模拟响应
I created an API and integrated some mock response
在api网关中作为Authorizer附加在用户池上方并部署
Attached above user pool as Authorizer in the api gateway and deployed
现在,当我在不传递令牌的情况下调用 api 时,它返回未授权"
Now when i invoke the api without passing token, it returns 'Unauthorized'
所以我使用下面的方法从 cognito 中提取访问令牌
So i used below approach to extract the access token from cognito
如何使用python以编程方式交换授权码以从cognito获取访问令牌
并使用 post man 在 api 标头中传递令牌,但我仍然收到未授权"响应
And passed the token in the api header using post man, but still i am getting 'Unauthorized' response
所以想知道需要在api网关中做什么才能验证令牌或这种方法出了什么问题..?
So would like to know what needs to be done in api gateway in order to verify the token or what went wrong in this approach..?
感谢是否有人可以对此提供帮助?
Appreciate if anybody can help on this?
谢谢
推荐答案
我终于在这里得到了答案..
finally i got the answer here..
https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-user-pool-oauth-2-0-grants/
所以我在这里创建了一个简单的烧瓶逻辑来交换身份验证代码以从 cognito 获取id_token",它可以进一步传入 api 标头以获取响应.
so i created a simple flask logic here to exchange the auth code to get the 'id_token' from cognito, which further can pass in the api header to get the response.
def getToken(auth_code):
response=''
try:
print("Code is", auth_code)
response = requests.post(url + '/oauth2/token',{'Content-Type':'application/x-www-form-urlencoded', 'grant_type': grant_type, 'client_id': App_client_id, 'code': auth_code, 'redirect_uri': 'http://localhost:5000/login'})
if response.status_code != 200:
return "Not a valid response"
print("Response is", response.json())
token_value = response.json()
print("Token value", token_value['id_token'])
return token_value['id_token']
except TypeError as e:
print("Error is",e)
这篇关于这是否可以使用 cognito 的授权代码授权类型作为 api-gateway 中的授权方?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
