从Lambda中访问Cogito用户属性 [英] Getting access to cognito user attributes from within Lambda
问题描述
我在我的架构中使用Cognito、API Gateway和Lambda函数。
在客户端上,我使用AWS Amplify.API发出请求,该请求在到达API Gateway后由Cognito授权。如果请求获得授权,它将传递到Lambda函数,在该函数中,我需要访问发出请求的登录用户,以便能够运行我的业务逻辑。
在lambda函数的上下文中,我可以访问一些环境变量,CognitoUserPoolId
就是其中之一。
我还可以访问event
中通过API传递的任何请求。
{
"tok": {
"resource": "/some_resource",
"path": "/some_resource",
"httpMethod": "GET",
"headers": {
"Accept": "application/json",
"Accept-Encoding": "gzip, deflate, br",
"Accept-Language": "en-GB,en;q=0.9,sv;q=0.8,en-US;q=0.7,el;q=0.6,de;q=0.5,el-GR;q=0.4",
"CloudFront-Forwarded-Proto": "https",
"CloudFront-Is-Desktop-Viewer": "true",
"CloudFront-Is-Mobile-Viewer": "false",
"CloudFront-Is-SmartTV-Viewer": "false",
"CloudFront-Is-Tablet-Viewer": "false",
"CloudFront-Viewer-Country": "SE",
"content-type": "application/json",
"Host": "XXXXXX.execute-api.eu-central-1.amazonaws.com",
"origin": "http://localhost:8080",
"Referer": "http://localhost:8080/some_resource",
"sec-fetch-dest": "empty",
"sec-fetch-mode": "cors",
"sec-fetch-site": "cross-site",
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
"Via": "2.0 XXXXXXXXXXXX.cloudfront.net (CloudFront)",
"X-Amz-Cf-Id": "XXXXXXXXXXXXXXXXXXXXXXXXTelrg==",
"x-amz-date": "20200527T233945Z",
"x-amz-security-token": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8fR",
"X-Amzn-Trace-Id": "Root=1-5XXXXa41-730XXXXXXXXXXabe42f1",
"X-Forwarded-For": "XXX.XXX.XX.XXX, XXX.XXX.XXX.XXX",
"X-Forwarded-Port": "443",
"X-Forwarded-Proto": "https"
},
"multiValueHeaders": {
"Accept": [
"application/json"
],
"Accept-Encoding": [
"gzip, deflate, br"
],
"Accept-Language": [
"en-GB,en;q=0.9,sv;q=0.8,en-US;q=0.7,el;q=0.6,de;q=0.5,el-GR;q=0.4"
],
"CloudFront-Forwarded-Proto": [
"https"
],
"CloudFront-Is-Desktop-Viewer": [
"true"
],
"CloudFront-Is-Mobile-Viewer": [
"false"
],
"CloudFront-Is-SmartTV-Viewer": [
"false"
],
"CloudFront-Is-Tablet-Viewer": [
"false"
],
"CloudFront-Viewer-Country": [
"SE"
],
"content-type": [
"application/json"
],
"Host": [
"XXXXXX.execute-api.eu-central-1.amazonaws.com"
],
"origin": [
"http://localhost:8080"
],
"Referer": [
"http://localhost:8080/some_resource"
],
"sec-fetch-dest": [
"empty"
],
"sec-fetch-mode": [
"cors"
],
"sec-fetch-site": [
"cross-site"
],
"User-Agent": [
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"
],
"Via": [
"2.0 XXXXXXXXXXXX.cloudfront.net (CloudFront)"
],
"X-Amz-Cf-Id": [
"XXXXXXXXXXXXXXXXXXXXXXXXTelrg=="
],
"x-amz-date": [
"20200527T233945Z"
],
"x-amz-security-token": [
"XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX8fR"
],
"X-Amzn-Trace-Id": [
"Root=1-5XXXXa41-730XXXXXXXXXXabe42f1"
],
"X-Forwarded-For": [
"XXX.XXX.XX.XXX, XXX.XXX.XXX.XXX"
],
"X-Forwarded-Port": [
"443"
],
"X-Forwarded-Proto": [
"https"
]
},
"queryStringParameters": null,
"multiValueQueryStringParameters": null,
"pathParameters": null,
"stageVariables": null,
"requestContext": {
"resourceId": "5qXXXXXXX",
"resourcePath": "/some_resource",
"httpMethod": "GET",
"extendedRequestId": "NNwKXXXXXXXXX=",
"requestTime": "27/May/2020:23:39:45 +0000",
"path": "/dev/some_resource",
"accountId": "18XXXXXXXX",
"protocol": "HTTP/1.1",
"stage": "dev",
"domainPrefix": "XXXXXX",
"requestTimeEpoch": 1590622785474,
"requestId": "XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX",
"identity": {
"cognitoIdentityPoolId": "eu-central-1:XXXXXX-YYY-YYYY-YYYY-YYYYY",
"accountId": "181606720624",
"cognitoIdentityId": "eu-central-1:XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX",
"caller": "SOME_STRING_HERE:CognitoIdentityCredentials",
"sourceIp": "XXX.XXX.XXX.XXX",
"principalOrgId": null,
"accessKey": "ACCESS_KEY_HERE",
"cognitoAuthenticationType": "authenticated",
"cognitoAuthenticationProvider": "cognito-idp.eu-central-1.amazonaws.com/eu-central-1_XXXXXX,cognito-idp.eu-central-1.amazonaws.com/eu-central-1_XXXXXX:CognitoSignIn:XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX",
"userArn": "arn:aws:sts::XXXXXX:assumed-role/amplify-XXXXXX-dev-XXXXXX-authRole/CognitoIdentityCredentials",
"userAgent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36",
"user": "SOME_STRING_HERE:CognitoIdentityCredentials"
},
"domainName": "XXXXXX.execute-api.eu-central-1.amazonaws.com",
"apiId": "XXXXXX"
},
"body": null,
"isBase64Encoded": false
}
}
有了所有这些信息,我如何才能访问发出请求的用户的用户属性?
我一直在调查:
Boto3 CognitoIdentityProvider.get_user()
和
Boto3 CognitoIdentityProvider.admin_get_user(),但是两者都需要AccessToken
或userId
,并且两者在lambda函数的上下文中都不可用。我认为唯一的方法是在请求的有效负载中传递一些额外的信息,但这似乎不是检索用户属性的最佳方法。
编辑
我没有在API上使用自定义授权器。在使用Amplify设置API时,我选择了受保护路径,并且所有请求都是针对Cognito用户池进行身份验证/授权的。在amplify push
之后,我可以看到部署的API在所有资源的方法请求中都有AWS_IAM
下Auth
。
Amplify.API.get
发出请求时包含用于授权的标头,更具体地说:
:authority: XXXXXX.execute-api.eu-central-1.amazonaws.com
:method: GET
:path: /dev/some_resource
:scheme: https
accept: application/json
accept-encoding: gzip, deflate, br
accept-language: en-GB,en;q=0.9,sv;q=0.8,en-US;q=0.7,el;q=0.6,de;q=0.5,el-GR;q=0.4
authorization: AWS4-HMAC-SHA256 Credential=ASIAXXXXXXXX/20200528/eu-central-1/execute-api/aws4_request, SignedHeaders=accept;content-type;host;x-amz-date;x-amz-security-token, Signature=b6a7aXXX1c447bXXX...XXX
content-type: application/json
origin: http://localhost:8080
referer: http://localhost:8080/dashboard
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
x-amz-date: 20200528T075958Z
x-amz-security-token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX...XXXXXXXXXX
API资源集成到Lambda函数,通过Lambda Proxy集成。我可以看到Lambda函数正在被调用,因此请求被授权了。但是,我在Lambda中的event
中的所有内容都是我在上面第一个剪辑中粘贴的内容。
鉴于这是一个代理集成,我希望在API的上下文中的所有内容都应该被转发到API后面的Lambda。但是,我看不到如何使用Lambda中提供的任何信息访问USER_ATTRIBUES。有什么建议吗?
编辑%2
我现在正在研究使用自定义头从客户端传递与用户相关的数据,可能类似于:
'x-user-sub': '58ce94f6-53vd-4s3e-b088-cd6f85s0ff43'
然后在我的Lambda函数中使用以下代码来获取用户属性:
c_client = boto3.client('cognito-idp')
response = c_client.admin_get_user(
UserPoolId='eu-central-1_XXXXXX',
Username='58ce94f6-53vd-4s3e-b088-cd6f85s0ff43'
)
以上返回:
{
'Username': '58ce94f6-53vd-4s3e-b088-cd6f85s0ff43',
'UserAttributes': [
{
'Name': 'sub',
'Value': '58ce94f6-53vd-4s3e-b088-cd6f85s0ff43'
},
{
'Name': 'email_verified',
'Value': 'true'
},
{
'Name': 'phone_number_verified',
'Value': 'true'
},
{
'Name': 'phone_number',
'Value': '+46XXXXXXXXXX'
},
{
'Name': 'email',
'Value': 'XXXXXX.XXXXX@YYYY.com'
}
],
'UserCreateDate': datetime.datetime(2020, 5, 14, 15, 43, 3, 370000, tzinfo=tzlocal()),
'UserLastModifiedDate': datetime.datetime(2020, 5, 15, 16, 32, 43, 424000, tzinfo=tzlocal()),
'Enabled': true,
'UserStatus': 'CONFIRMED',
'ResponseMetadata': {
'RequestId': 'e441edd4-XXX-46ba-XXX-922691471f2c',
'HTTPStatusCode': 200,
'HTTPHeaders': {
'date': 'Thu, 28 May 2020 12:58:18 GMT',
'content-type': 'application/x-amz-json-1.1',
'content-length': '431',
'connection': 'keep-alive',
'x-amzn-requestid': 'e441edd4-XXX-46ba-XXX-922691471f2c'
},
'RetryAttempts': 0
}
}
这个解决方案有什么明显的遗漏吗?我是否通过在Customer标头中传递sub
来引入任何安全风险?
非常感谢您的帮助。
推荐答案
我认为此帖子here可能对您有帮助。
尤其是这一部分:
Cognito用户池的API Gateway授权程序
API Gateway最近推出了对Cognito用户池的支持 授权者。如果使用Cognito用户池授权程序,则不需要 要设置您自己的自定义授权器以验证令牌,请执行以下操作。一旦您的API 方法是使用Cognito用户池授权程序配置的,您可以传递 将授权标头中未过期的ID令牌添加到您的API方法。如果 它是您的用户池的用户的有效ID令牌,然后您可以 使用以下命令访问您的API中ID令牌的所有声明 ‘$Conext.Authizer.Claims’。例如 ‘$Conext.Authizer.Claims.Email’将返回用户的电子邮件地址 和"$Conext.Authorizer.Claims.Sub"将返回您用户的唯一 标识符。如果ID令牌已过期或无效,则Cognito用户 池授权程序将向调用方发送未经授权的(401)响应。
Here以下是有关如何覆盖apigateway请求/响应参数的一些示例
Here您可以看到如何设置集成以及将哪些数据传递到API网关。
值得查看data mapping和access logging的引用
这篇关于从Lambda中访问Cogito用户属性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!