AWS API Gateway - 将访问令牌与 Cognito 用户池授权方一起使用? [英] AWS API Gateway - using Access Token with Cognito User Pool authorizer?

查看:47
本文介绍了AWS API Gateway - 将访问令牌与 Cognito 用户池授权方一起使用?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在配置一个具有各种前端(移动和 Web 应用程序)和单个 API 后端的应用程序,由 Lambda 提供支持并通过 AWS API Gateway 访问.

I am configuring an app with various frontends (mobile and web apps) and a single API backend, powered by Lambda and accessed via AWS API Gateway.

由于我计划使用 Cognito 对用户进行身份验证和授权,因此我在我的 API 网关和多个 API 方法上设置了 Cognito 用户池授权方.

As I'm planning to use Cognito to authenticate and authorize users, I have set up a Cognito User Pool authorizer on my API Gateway and several API methods.

对于这样的架构,从 OAuth 的角度来看,我的应用程序(例如 iOS 或 Vue.js 应用程序)是客户端应用程序,而我的 API 网关后端是资源服务器,这似乎是合乎逻辑的.基于 这个 Auth0 论坛帖子 似乎很清楚我因此,应该在我的客户端应用程序中使用 ID 令牌,并传递访问令牌来授权我的 API 网关资源.

With an architecture like this, it seems logical that my apps (e.g. an iOS or Vue.js app) are the Client applications from an OAuth perspective, and my API Gateway backend is a Resource Server. Based on this Auth0 forum post it seems clear that I should therefore use an ID token in my client app, and pass an Access Token to authorize my API Gateway resources.

当我点击 Cognito /oauth2/authorize 端点以获取访问代码并使用该代码点击 /oauth2/token 端点时,我得到 3 个令牌 -访问令牌、ID 令牌和刷新令牌.到目前为止一切顺利,因为我应该有我需要的东西.

When I hit the Cognito /oauth2/authorize endpoint to get an access code and use that code to hit the /oauth2/token endpoint, I get 3 tokens - an Access Token, an ID Token and a Refresh Token. So far so good, as I should have what I need.

这是我遇到困难的地方 - 使用 API Gateway Cognito User Pool Authorizer 控制台上的测试功能,我可以粘贴 ID 令牌并且它通过(在屏幕上解码令牌).但是当我粘贴访问令牌时,我得到 401 - 未授权.

This is where I've run into difficulties - using the test function on the API Gateway Cognito User Pool Authorizer console, I can paste in the ID token and it passes (decoding the token on-screen). But when I paste in the Access Token, I get 401 - unauthorized.

在我的 Cognito 设置中,我只启用了 Authorization Code Grant 流程,使用 emailopenid 范围(这似乎是最低的Cognito 允许,因为我在尝试保存时出错,但至少没有勾选这些.

In my Cognito setup, I have enabled Authorization Code Grant flow only, with email and openid scopes (this seems to be the minimum allowed by Cognito as I get an error trying to save without at least these ticked).

我是否需要添加一些特定范围才能让 API Gateway 使用访问代码授权请求?如果是这样,这些是在哪里配置的?

Do I need to add some specific scopes to get API Gateway to authorize a request with the Access Code? If so, where are these configured?

还是我遗漏了什么?API Gateway 是否只允许 ID 令牌与 Cognito 用户池授权方一起使用?

Or am I missing something? Will API Gateway only allow an ID token to be used with a Cognito User Pool Authorizer?

推荐答案

您可以使用具有与 id 令牌相同的授权方的访问令牌,但需要在用户池和 APIG 中完成一些额外的设置.

You can use an access token with the same authorizer that works for the id token, but there is some additional setup to be done in the User Pool and the APIG.

即使完成此额外设置,您也无法将内置授权方测试功能与访问令牌一起使用,而只能使用 id 令牌.来自 AWS 的典型 80% 解决方案!

Even when this extra setup is done you cannot use the built-in authorizer test functionality with an access token, only an id token. Typical 80% solution from AWS!

要使用访问令牌,您需要在 App Integration -> 下的用户池中设置资源服务器;资源服务器 你使用什么并不重要,但我假设你使用 .com 作为标识符,并且你有一个名为 api 的范围.

To use an access token you need to set up resource servers in the User Pool under App Integration -> Resource Servers it doesn't matter what you use but I will assume you use <site>.com for the Identifier and you have one scope called api.

无需前往 APIG 中的方法并输入该方法的Method Request.假设这已经使用 id 令牌测试的授权方进行了设置,然后将 <site>.com/api 添加到 Settings ->OAuth 范围 部分.

No go to the method in APIG and enter the Method Request for the method. Assuming this is already set up with an authorizer tested with the id token, you then add <site>.com/api to the Settings -> OAuth Scopes section.

只需添加 OAuth 范围,即可确保令牌现在必须是访问令牌,并且不再接受 id 令牌.

Just by adding the OAuth Scope it will make sure that the token now has to be an access token and an id token is no longer accepted.

这里有详细说明:https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-enable-cognito-user-pool.html

这篇关于AWS API Gateway - 将访问令牌与 Cognito 用户池授权方一起使用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆