AWS cognito:使用用户名/密码或 facebook 登录 [英] AWS cognito: sign in with usernam/password OR facebook
问题描述
我想集成一个非常标准的功能:让用户(移动和网络)可以选择使用电子邮件/密码登录或使用 RBAC 的 facebook(谷歌)帐户登录(不同的用户可能有不同的角色,如用户、版主、管理员、创作者等).这基本上是我想要的登录内容:
I want to integrate a pretty standard functionality: give option to user (mobile and web) to either login with email/password or with facebook (google) account with RBAC (different users may have different roles, like users, moderators, admins, creators, etc). Here is basically what I want from sign in:
我浏览了许多 AWS 教程和其他材料.我对如何实现它有所了解,但我仍然没有全貌.希望有人能在这里帮助我.
I went through a number of AWS tutorials and other materials. I got some grasp on how to implement it, but I still don't have a full picture. Hope someone can help me here.
这是我目前的理解(请纠正我的错误).
Here is my current understanding (please correct me where I'm wrong).
1) 对于电子邮件/密码注册/登录,我使用用户池.当用户登录时,我调用 authenticateUser(我使用的是 JS SDK):
1) For the email/password signup/signin I use a User Pool. When user signs-in I call authenticateUser (I'm using JS SDK):
cognitoUser.authenticateUser(authenticationDetails, {
..
})
成功的地方
- 我存储身份、访问和刷新令牌,因此,用户不必每次都输入他的凭据
- 因为用户将访问 AWS 服务(例如 S3),所以我将 idToken 交换为 AWS 凭证
- 将 AWS 凭证存储在 LocalStore 中以供访问资源时进一步使用
2) 对于 facebook 登录,我使用联合身份
2) For the facebook sign-in I use Federated Identity
- 获取 Facebook 访问令牌
- 使用 fb 令牌获取认知身份
- 将认知身份交换到 AWS 凭证并将其存储在 LocalStore 中
第一季度.注册/登录的逻辑是否有效且相当完整?我错过了什么吗?
Q1. Is it valid and fairly complete logic for sign-up/sign-in? Did I miss anything?
第 2 季度.我应该如何存储 Facebook 用户?我可以在用户池中进行吗?我的印象是这是不可能的,但这意味着我有 2 个不同的用户目录:一个在 UserPool 中,另一个在另一个地方(比如在 DynamoDB 中)
Q2. How should I store facebook users? Can I do it in User Pools? I have impression that it's not possible, but that means I have 2 different user directories: one in UserPool and another one in another place (lets say in DynamoDB)
第三季度.如果我必须将用户存储在不同的地方(UserPool 和 DynamoDB),这意味着我有 2 个用户,基本上是一个用户,他们首先使用电子邮件/密码注册,然后决定使用 facebook - 这对我作为应用程序管理员和用户来说都是不便.遇到这种情况怎么办?
Q3. If I have to store users in different places (UserPool and DynamoDB) that means I have 2 users for essentially one user, who first registered with email/password and then decided to use facebook - this is inconvenience for both me as app admin and user. How to deal with this situation?
第四季度.如何为使用 Facebook 令牌登录的用户(如用户、版主、管理员、创建者等)管理群组?
Q4. How to manage groups for users, who signed-in with facebook token (like users, moderators, admins, creators, etc)?
Q5.我应该如何限制 Facebook 登录用户访问 AWS 以外的资源?
Q5. How should I restrict access to resources other than AWS for facebook signed-in users?
Q6.任何工作示例?
谢谢!
推荐答案
我是人类,可能遗漏了一些东西,但这对我来说听起来不错.
I'm human and may have missed something, but that sounds pretty good to me.
您不能在用户池中存储联合身份登录.用户池作为另一个身份提供者,就像 Facebook 一样.Dynamo(或其他)将是要走的路.
You can't store a federated identities login in user pools. Thing of user pools as another identity provider, just like Facebook is. Dynamo (or something else) would be the way to go.
如果用户同时登录并链接这些登录,您可能需要考虑完全避免使用用户池属性而仅使用 dynamo.通过链接两个登录,Cognito 联合身份只需要一个登录令牌即可继续,但用户池需要它的登录令牌才能查看/更新属性.用户必须登录用户池才能访问这些属性,这会变得很混乱.
If a user logged in with both, linking those logins, you might want to consider avoiding user pools attributes entirely and only using dynamo. With two logins linked, Cognito federated identities only requires one login token to proceed, but user pools requires it's login token to see/update attributes. The user would have to login with the user pool to touch those attributes, it'd get messy.
这篇关于AWS cognito:使用用户名/密码或 facebook 登录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
