AWS cognito:访问令牌和身份令牌有什么区别? [英] AWS cognito: What's the difference between Access and Identity tokens?

问题描述

只需阅读 docs，它们看起来与我非常相似，所以我无法辨别为什么要使用其中一个.虽然身份令牌看起来更好，因为它具有来自用户池的自定义属性(例如:custom:blah 和默认属性，如 name 和 email).

Just reading the docs, they seem very similar to me so I can't really discern why to use one over the other. Although identity token seems better since it has custom attributes on it from the user pool (eg: custom:blah and the default ones like name and email).

现在，我正在使用一个将访问令牌传回浏览器的应用程序，以便它可以使用它来进行 ajax REST 调用(有一个身份验证过滤器需要此访问令牌并对其进行验证).我可以用 id 令牌切换访问令牌吗?当前的验证逻辑是只从访问令牌中获取 sub 字段(uuid)，但是这个 sub 字段也存在于身份令牌中(以及实际上除了我不需要的 aud 之外的所有其他属性).我只是想确保我理解这一点，因为这让我感到困惑，为什么这两个令牌都存在并且看起来如此相似.

Right now, I am working with an app that passes the access token back down to the browser so it can use it for making ajax REST calls (there is an auth filter that expects this access token and validates it). Could I just switch out the access token with the id token? The current validation logic is to just get the sub field (the uuid) from the access token, but this sub field is also present in the identity token (as well as practically every other attribute except the aud which I don't need). I just want to make sure I am understanding this right as it is confusing to me why both tokens exist and seem so similar.

推荐答案

id_token 是供您的应用程序处理的，因此您可以获得用户的所有个人详细信息，例如他们的姓名、年龄、电子邮件地址等.一般来说您不应将此令牌发送到其他任何地方，因为它包含敏感的用户数据.

The id_token is for your application to process, so you can get all the personal details for your user, like their name, age, email address etc. Generally speaking you shouldn't send this token anywhere else as it contains sensitive user data.

access_token 用于调用其他外部"服务(外部我包括其他 AWS 服务 - 这些通常通过 http 调用).它为您的用户提供服务访问授权，而无需包含他们的个人详细信息.

The access_token is used to call other 'external' services (and by external I include other AWS services - these are often called over http). It provides service access authorisation for your user without having to include their personal details.

从表面上看，这似乎有点令人困惑，因为您实际上可以使用 id_token 以与 access_token 相同的方式访问服务.但是，好的做法是在这种情况下使用 access_token，如果后端服务需要用户数据，则应在 Cognito 中自行查找.

On the face of it this appears slightly confusing as you can actually use the id_token to access services in the same way as the access_token. However, good practise is to use the access_token in this circumstance and if backend services need user data, they should look it up themselves in Cognito.

如果您需要根据身份令牌中的声明对 api 调用进行身份验证，则在某些情况下这是完全有效的.但请注意身份令牌中有哪些详细信息，以及这些声明是否适合发送到特定 API.如果您不需要使用 id_token 中的任何声明，请使用 access_token，因为这会减少您发送的潜在敏感数据的数量.

If you need to authenticate an api call based on claims in the identity token, there are circumstances when this is perfectly valid. But be aware of what details are in the identity token, and whether those claims are suitable to send to the particular API. If you don't need to use any claims from the id_token, use the access_token as this reduces the amount of potentially sensitive data you are sending.

这篇关于AWS cognito:访问令牌和身份令牌有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！