Amazon Cognito 中的 `aws.cognito.signin.user.admin` 范围是什么意思? [英] What does the `aws.cognito.signin.user.admin` scope mean in Amazon Cognito?

问题描述

Amazon Cognito 有许多系统保留的范围:

Amazon Cognito has a number of system-reserved scopes:

• openid
• 电子邮件
• 电话
• 个人资料
• aws.cognito.signin.user.admin

但没有记录他们允许访问的内容.

But doesn't document what they give access to.

前三个是不言自明的.我希望个人资料是指用户个人资料.

The first 3 are fairly self-explanatory. I would expect profile to mean the user profile.

我通过反复试验发现，我需要 aws.cognito.signin.user.admin 才能使用 Amazon Cognito 获取用户 API 调用.我本来希望这是 profile 代替，但好的，很好.

I've found by trial-and-error that I need aws.cognito.signin.user.admin to use the Amazon Cognito Get User API call. I would have expected this to be profile instead, but OK, fine.

我担心的是其他 aws.cognito.signin.user.admin 可能会做什么.如果我让第 3 方客户请求此范围，我会给他们什么访问权限?

What I'm concerned about is what else aws.cognito.signin.user.admin might do. If I let 3rd party clients request this scope, what am I giving them access to?

推荐答案

aws.cognito.signin.user.admin 范围允许您访问所有可以使用 access 访问的用户池 API单独的令牌 (此处提供完整文档).

The aws.cognito.signin.user.admin scope gives you access to all the User Pool APIs that can be accessed using access tokens alone (full documentation here).

请注意，这并不意味着用户可以任意访问所有 AWS API(如 IAM 角色可能)，但如果该 API 调用的请求语法包含 "AccessToken": "string"，然后使用 aws.cognito.signin.user.admin 授予的访问令牌将能够调用它.

Note that this doesn't mean that the user would have arbitrary access to all the AWS API (like an IAM role might), but that if the request syntax for that API call includes "AccessToken": "string", then an access token granted using aws.cognito.signin.user.admin will be able to call it.

作为一项规则，Cognito UserPools API 的(并且只有 Cognito UserPool APIs)允许您修改您自己的 UserPools 配置文件中的某些内容(即不要以 Admin 并影响单个配置文件):

As a rule, the Cognito UserPools API's (and it's only Cognito UserPool APIs) that authorise like this are ones that allow you to modify something on your own UserPools profile (i.e. do not start with Admin and affect a single profile):

通过 API 一目了然，这些操作是 (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html):

At a glance through the API, these actions are (https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_Operations.html):

• AssociateSoftwareToken
• 更改密码
• 确认设备
• 删除用户
• 删除用户属性
• 忘记设备
• 获取设备
• 获取用户
• GetUserAttributeVerificationCode
• GlobalSignOut
• 列出设备
• 设置用户MFAPreference
• 设置用户设置
• 更新设备状态
• 更新用户属性
• 验证软件令牌
• 验证用户属性

这篇关于Amazon Cognito 中的 `aws.cognito.signin.user.admin` 范围是什么意思?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！