Cognito Google 联合身份，无效的 OpenId Connect 身份令牌

Question

我正在开发一款应用程序，允许用户使用他们的 google 帐户登录，然后使用该登录名获取 Cognito 联合身份。

我无法获得使用 Cognito 进行身份验证所需的正确令牌。我一直收到错误 com.amazonaws.services.cognitoidentity.model.NotAuthorizedException: Invalid login token. Not a valid OpenId Connect identity token.

这是我的代码：

        Runnable runnable = new Runnable() {
            @Override
            public void run() {
                CognitoSyncClientManager.init(getActivity().getApplicationContext());

                String token = null;

                try {
                    token = GoogleAuthUtil.getToken(getActivity().getApplicationContext(), signInAccount.getAccount(), "oauth2:openid");
                }catch (Exception e){
                    Log.d("login exception", e.toString());
                }
                Map<String, String> logins = new HashMap<String, String>();
                logins.put("accounts.google.com", token);
                CognitoSyncClientManager.addLogins("accounts.google.com", token);
                Log.d("login", "Created User token " + token);
                Log.d("login", "Cached UserID: "+CognitoSyncClientManager.credentialsProvider.getCachedIdentityId());
                Log.d("login", "UserID: " + CognitoSyncClientManager.credentialsProvider.getIdentityId());
                Toast.makeText(getActivity().getApplicationContext(), "Created user: "+CognitoSyncClientManager.credentialsProvider.getCachedIdentityId(), Toast.LENGTH_LONG);
            }
        };
        Thread t = new Thread(runnable);
        t.start();

Answer 1

GoogleAuthUtil 的 getToken 似乎是 return 一个访问令牌。

https://developers.google.com/android/reference/com/google/android/gms/auth/GoogleAuthUtil.html#getToken(android.content.Context, android.accounts.Account, java.lang.String, android.os.Bundle)

您需要将 Google 的 OpenId Connect Id 令牌传递给 Cognito，而不是访问令牌。

https://developers.google.com/identity/sign-in/android/backend-auth

Answer 2

基于Javascriptpassport-google-auth模块，它returnsaccess_token、refresh_token和params.

要获得 cognito_identity，您需要使用从 Google

收到的 params.id_token

    passport.use(new GoogleStrategy(googleDeveloperDetails, getUserDetails));

    app.get("/auth/google", passport.authenticate("google", { scope: ['email'] }));

    var authGoogle = passport.authenticate("google", {
        failureRedirect: "/auth/google"
    });

    app.get("auth/google/callback", authGoogle, controller.successRedirect);

    getUserDetails = function(accessToken, refreshToken, params, profile, done) {
          if(profile.provider == "google") {
           profile.token = params.id_token   // params.id_token to be used to get cognito credentials
          } else {
                profile.token = accessToken;
          }
          done(null, profile);
    }

    googleDeveloperDetails = {
        clientID: "google cleint ID",
        clientSecret: "google client secret",
        callbackURL: "https://localhost:3000/auth/google/callback",
        profileFields: ["emails", "profile"]
    }

Cognito Google 联合身份，无效的 OpenId Connect 身份令牌

Cognito Google Federated Identity, Invalid OpenId Connect Identity Token

openid

google-openid

openid-connect

amazon-cognito

aws-cognito