无需用户凭据的身份验证 [英] Authentication without user credentials

问题描述

我正在组建一个个人 React 站点，并希望向 AWS API 网关发送请求.但是，我只希望我的网站能够提取数据.将没有用户模型，我曾经使用过的每个身份验证模型都要求用户通过登录来做一些事情，无论是 user/pwd 还是 AD.有人可以指导我使用涵盖这种情况的模型吗?

I'm putting together a personal React site and want to send requests to an AWS API Gateway. However, I just want my site to be able to pull data. There will be no user model and every auth model I've ever used requires the user to do something with sign-in, be it user/pwd or AD. Can someone guide me to a model that covers this scenario?

推荐答案

一种常见的方法是使用启用了未经身份验证的身份"的 Cognito 身份池.您可以使用 IAM 保护您的 API 网关端点，并要求请求 sig4 签名.

One common approach is to use a Cognito Identity Pool with "Unauthenticated Identities" enabled. You can secure your API gateway endpoints using IAM, and require requests to be sig4 signed.

通过这种方法，Cognito 仅用于一种身份代理能力，而不是作为实际的身份提供者.您无需创建用户池或使用 Cognito 的任何其他身份管理功能.在这种情况下，Cognito 本质上只是您的代码和 底层 STS API 可生成您的应用程序所需的 IAM 密钥.

With this approach, Cognito is used only in a kind identity broker capacity, not as an actual identity provider. You do not need to create a User Pool or use any other identity management features of Cognito. In this capacity, Cognito is essentially just a thin layer between your code and the underlying STS APIs that produce the IAM keys your application needs.

使用 Cognito SDK，您请求临时 IAM 凭证(访问密钥、秘密密钥、会话令牌)可用于签署请求.

Using the Cognito SDK, you request temporary IAM credentials (access key, secret key, session token) that can be used to sign the requests.

这个答案概述实现这一目标的一种方法.当您要访问的受保护 AWS 资源是 API 网关时，您的代码可能类似于 这篇文章.

This answer outlines one way to accomplish this. When the protected AWS resource you want to access is API Gateway, your code may look something like the example near the end of this post.

我通常要么使用 aws-api-gateway-client，如示例所示，或者 aws4 使用 axios 对请求进行签名.

I typically either use aws-api-gateway-client, as the example does, or aws4 with axios to sign requests.

如上面回答的链接所述，我通常使用 AWS.config.credentials.get()，而不是 AWS.CognitoIdentity.getCredentialsForIdentity() 来实际获取 IAM 密钥(如本文档中所述).

As noted in the linked to answer above, I normally use AWS.config.credentials.get(), rather than AWS.CognitoIdentity.getCredentialsForIdentity() to actually get the IAM keys (as in this doc).

然后签名的请求包含一个很难伪造的 Authorization 标头.我不想说这种方法是万无一失的，但它至少可以让您合理相信您的 API Gateway 端点只会被您的应用程序成功调用.

The signed requests then include an Authorization header that is very difficult to counterfeit. I don't want to suggest that this approach is bulletproof, but it does at least give you a reasonable level of confidence that your API Gateway endpoints are only being successfully invoked by your application.

这篇关于无需用户凭据的身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！