如何使用AWS cognito自定义验证方法来创建临时S3上传安全令牌 [英] how to use AWS cognito with custom authentication to create temporary s3 upload security token
问题描述
所以我一下就Cognito有关其既定的用例之一困惑亚马逊的文档:使用自己的标识系统......让您的应用程序将数据保存到AWS云
So I'm a bit confused by the Amazon documentation on Cognito concerning one of their stated use cases: "use your own identity system... allowing your apps to save data to the AWS cloud".
在我来说,我想给他们AWS令牌直接上传从手机客户端S3没有把我的AWS键在客户端设备上。
In my case I want to give them aws tokens to upload directly to s3 from the mobile client without putting my aws keys on the client device.
为了实现这种服务器端 - 如何生成正确的凭据,以便客户端可以用这个身份上的客户端应用程序上传到S3?
In order to implement this on the server side - how do I generate the proper credentials so that the client can use this identity on the client app to upload to s3?
难道我第一个电话
-
的getId()(什么样的价值观做我通过,如果我用我自己的登录 - ?因为我没有提供一个Facebook或Twitter的ID我如何通过我自己的数据库的生成用户ID
getId() (what values do I pass if I'm using my own login - since I'm not providing a facebook or twitter ID? How do I pass in my own db's generated user ids?
AWS.CognitoIdentity.getCredentialsForIdentity() 方法从congito API ...也许我要新建立一个AWS.CognitoIdentity?
AWS.CognitoIdentity.getCredentialsForIdentity() method from the congito API... or maybe I have to new up an AWS.CognitoIdentity?
要一个很好的例子,任何链接?我找不到文档本身的任何完整的例子。
Any links to a good example? I couldn't find any full examples in the documentation itself.
例如在其文档亚马逊说,
For example in their documentation amazon says that
VAR identityId = AWS.config.credentials.identityId;
检索一个identityid为您的最终用户立即但是看着它,它似乎是一个属性,而不是一个id工厂。它是如何生成唯一的ID,或者是一个标识ID,由我的所有用户共享?是否有某种形式的凭据,我可以从这个推导,我可以再传授给我的移动客户端获取上传的权限S3?
retrieves an identityid for your end user immediately, however looking at it, it seems to be a property and not an id factory. How does it generate unique ids, or is one identity id shared by all of my users? Are there credentials of some sort that I can derive from this that I can then pass on to my mobile client to get upload privileges to s3?
我也看了一些关于AWS STS服务 - 是一种替代方法来Cognito
I also read something about AWS STS service - is that an alternative to using Cognito?
推荐答案
您可以找到一个示例<一href="http://mobile.awsblog.com/post/Tx3E3NJURV1LNV1/Integrating-Amazon-Cognito-using-developer-authenticated-identities-An-end-to-en"相对=nofollow>在这个AWS移动博客帖子和<开发人员的身份验证和定期身份之间的差异href="http://mobile.awsblog.com/post/Tx2FL1QAPDE0UAH/Understanding-Amazon-Cognito-Authentication-Part-2-Developer-Authenticated-Ident"相对=nofollow>这个其他博客帖子。
You can find an example in this AWS Mobile blog post and the differences between developer authenticated identities and regular identities in this other blog post.
基本上,流量,你的应用程序将验证对你的后端,那么你的后台会调用 GetOpenIdTokenIdTokenForDeveloperIdentity 并发送所产生的令牌和身份ID用户的应用程序。用户的应用程序可以使用此令牌来获得使用SDK Cognito凭证,以及与此凭据拨打S3或其他AWS服务。每个用户都有它自己的凭据,所以他们只有在S3访问自己的资源。
Basically, the flow is that your app will authenticate against your backend, then your backend will call GetOpenIdTokenIdTokenForDeveloperIdentity and send the resulting token and Identity ID to the user's app. The user's app can use this token to obtain Cognito credentials using the SDK, and with this credentials make calls to S3 or other AWS services. Each user will have it's own credentials, so they only have access to their own resources in S3.
关于STS,这就是SDK将在内部使用获得的凭据,但只要你使用的SDK,您不必担心。这不是一个替代Cognito,但他们都一起工作。
About STS, that's what the SDK will internally use to obtain the credentials, but as long as you use the SDK you don't need to worry about it. It's not an alternative to Cognito, but they both work together.
这篇关于如何使用AWS cognito自定义验证方法来创建临时S3上传安全令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
