Java:Not 授权执行 sts:AssumeRoleWithWebIdentity cognito 用户池
Java:Not authorized to perform sts:AssumeRoleWithWebIdentity cognito user pool
我正在使用 AWS Cogito 服务通过 AWS Java SDK 从 Cognito 获取用户凭证。
我关注了
https://mobile.awsblog.com/post/TxBVEDL5Z8JKAC/Use-Amazon-Cognito-in-your-website-for-simple-AWS-authentication 编写代码以使用 Cognito 用户池对用户进行身份验证。
在编写代码之前,我配置了 Cognito 用户池并使用以下池配置字段将其命名为 demo。
Pool Id us-east-1_GUbY6qQ1v
Pool ARN arn:aws:cognito-idp:us-east-1:049428796662:userpool/us-east-1_GUbY6qQ1v
我将上面的内容与为迎合联合身份池而创建的身份池一起使用,如附图所示。Federated Identities User Pool
现在回到代码,我编写了以下函数来检索用户身份并将其缓存,这样如果相同的身份登录,就不会重复调用 GetID() 函数。
public UserIdentity getUserIdentity(User user) throws AuthorizationException {
if (user == null || user.getUsername() == null || user.getUsername().trim().equals("")) {
throw new AuthorizationException("Invalid user");
}
AmazonCognitoIdentity identityClient = new AmazonCognitoIdentityClient(new AnonymousAWSCredentials());
GetIdRequest idRequest = new GetIdRequest();
idRequest.setAccountId(CognitoConfiguration.AWS_ACCOUNT_ID);
idRequest.setIdentityPoolId(CognitoConfiguration.IDENTITY_POOL_ID);
GetIdResult idResp = identityClient.getId(idRequest);
if (idResp == null) {
throw new AuthorizationException("Empty GetOpenIdToken response");
}
GetOpenIdTokenRequest tokenRequest = new GetOpenIdTokenRequest();
tokenRequest.setIdentityId(idResp.getIdentityId());
GetOpenIdTokenResult tokenResp = identityClient.getOpenIdToken(tokenRequest);
UserIdentity identity = new UserIdentity();
identity.setIdentityId(idResp.getIdentityId());
identity.setOpenIdToken(tokenResp.getToken());
return identity;
}
用户 class 包含带有 getOpenIdToken 的字段标识,然后在从 cognito 请求凭据时检索此令牌。
public AWSSessionCredentials getUserCredentials(User user) throws AuthorizationException {
if (user == null || user.getCognitoIdentityId() == null || user.getCognitoIdentityId().trim().equals("")) {
throw new AuthorizationException("Invalid user");
}
AWSSecurityTokenService stsClient = new AWSSecurityTokenServiceClient(new AnonymousAWSCredentials());
AssumeRoleWithWebIdentityRequest stsReq = new AssumeRoleWithWebIdentityRequest();
stsReq.setRoleArn(user.getUserRole());
System.out.println("The received get open id token is: " + user.getIdentity().getOpenIdToken());
stsReq.setWebIdentityToken(user.getIdentity().getOpenIdToken());
stsReq.setRoleSessionName("FassetTestSession");
AssumeRoleWithWebIdentityResult stsResp = stsClient.assumeRoleWithWebIdentity(stsReq);
Credentials stsCredentials = stsResp.getCredentials();
// Create the session credentials object
AWSSessionCredentials sessionCredentials = new BasicSessionCredentials(
stsCredentials.getAccessKeyId(),
stsCredentials.getSecretAccessKey(),
stsCredentials.getSessionToken()
);
// save the timeout for these credentials
Date sessionCredentialsExpiration = stsCredentials.getExpiration();
return sessionCredentials;
}
用户class的相关部分如下。
public class User {
private UserIdentity identity;
public String getCognitoIdentityId() {
if (this.identity == null) {
return null;
}
return this.identity.getIdentityId();
}
public void setCognitoIdentityId(String cognitoIdentityId) {
if (this.identity == null) {
this.identity = new UserIdentity();
}
this.identity.setIdentityId(cognitoIdentityId);
}
}
行 AssumeRoleWithWebIdentityResult stsResp = stsClient.assumeRoleWithWebIdentity(stsReq), returns 一个 403 forbidden 错误下面的确切行。
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <Error>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <Type>Sender</Type>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <Code>AccessDenied</Code>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " </Error>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <RequestId>fe4edd9f-913e-11e6-85cd-45155b40299e</RequestId>[\n]"
用户角色的信任权限是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxxxxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": [
"accounts.google.com",
"graph.facebook.com",
"authenticated"
]
}
}
}
]
}
其中 us-east-1:xxxxxxxxxxxxxxxx 是管理社交和认知用户池的用户身份池 ID。
我浏览了许多列出信任权限和 Cognito 用户池的此类博客以了解上述问题,但徒劳无功,如果有人能帮助我解决上述问题,我将不胜感激。
您没有在调用 GetId 时在登录映射中为您的用户池用户传递 ID 令牌。您需要使用包含 cognito-idp.us-east-1.amazonaws.com/us-east-1_your_user_pool_id[= 的地图在 GetIdRequest 上调用 setLogins 21=] 作为键,您的用户池用户的 id 令牌 作为值
由于您尚未通过此登录映射,因此您获得的身份是未经身份验证的身份,并且您在角色策略中只允许经过身份验证的用户。
另请参阅:GetId API
我正在使用 AWS Cogito 服务通过 AWS Java SDK 从 Cognito 获取用户凭证。
我关注了
https://mobile.awsblog.com/post/TxBVEDL5Z8JKAC/Use-Amazon-Cognito-in-your-website-for-simple-AWS-authentication 编写代码以使用 Cognito 用户池对用户进行身份验证。
在编写代码之前,我配置了 Cognito 用户池并使用以下池配置字段将其命名为 demo。
Pool Id us-east-1_GUbY6qQ1v
Pool ARN arn:aws:cognito-idp:us-east-1:049428796662:userpool/us-east-1_GUbY6qQ1v
我将上面的内容与为迎合联合身份池而创建的身份池一起使用,如附图所示。Federated Identities User Pool
现在回到代码,我编写了以下函数来检索用户身份并将其缓存,这样如果相同的身份登录,就不会重复调用 GetID() 函数。
public UserIdentity getUserIdentity(User user) throws AuthorizationException {
if (user == null || user.getUsername() == null || user.getUsername().trim().equals("")) {
throw new AuthorizationException("Invalid user");
}
AmazonCognitoIdentity identityClient = new AmazonCognitoIdentityClient(new AnonymousAWSCredentials());
GetIdRequest idRequest = new GetIdRequest();
idRequest.setAccountId(CognitoConfiguration.AWS_ACCOUNT_ID);
idRequest.setIdentityPoolId(CognitoConfiguration.IDENTITY_POOL_ID);
GetIdResult idResp = identityClient.getId(idRequest);
if (idResp == null) {
throw new AuthorizationException("Empty GetOpenIdToken response");
}
GetOpenIdTokenRequest tokenRequest = new GetOpenIdTokenRequest();
tokenRequest.setIdentityId(idResp.getIdentityId());
GetOpenIdTokenResult tokenResp = identityClient.getOpenIdToken(tokenRequest);
UserIdentity identity = new UserIdentity();
identity.setIdentityId(idResp.getIdentityId());
identity.setOpenIdToken(tokenResp.getToken());
return identity;
}
用户 class 包含带有 getOpenIdToken 的字段标识,然后在从 cognito 请求凭据时检索此令牌。
public AWSSessionCredentials getUserCredentials(User user) throws AuthorizationException {
if (user == null || user.getCognitoIdentityId() == null || user.getCognitoIdentityId().trim().equals("")) {
throw new AuthorizationException("Invalid user");
}
AWSSecurityTokenService stsClient = new AWSSecurityTokenServiceClient(new AnonymousAWSCredentials());
AssumeRoleWithWebIdentityRequest stsReq = new AssumeRoleWithWebIdentityRequest();
stsReq.setRoleArn(user.getUserRole());
System.out.println("The received get open id token is: " + user.getIdentity().getOpenIdToken());
stsReq.setWebIdentityToken(user.getIdentity().getOpenIdToken());
stsReq.setRoleSessionName("FassetTestSession");
AssumeRoleWithWebIdentityResult stsResp = stsClient.assumeRoleWithWebIdentity(stsReq);
Credentials stsCredentials = stsResp.getCredentials();
// Create the session credentials object
AWSSessionCredentials sessionCredentials = new BasicSessionCredentials(
stsCredentials.getAccessKeyId(),
stsCredentials.getSecretAccessKey(),
stsCredentials.getSessionToken()
);
// save the timeout for these credentials
Date sessionCredentialsExpiration = stsCredentials.getExpiration();
return sessionCredentials;
}
用户class的相关部分如下。
public class User {
private UserIdentity identity;
public String getCognitoIdentityId() {
if (this.identity == null) {
return null;
}
return this.identity.getIdentityId();
}
public void setCognitoIdentityId(String cognitoIdentityId) {
if (this.identity == null) {
this.identity = new UserIdentity();
}
this.identity.setIdentityId(cognitoIdentityId);
}
}
行 AssumeRoleWithWebIdentityResult stsResp = stsClient.assumeRoleWithWebIdentity(stsReq), returns 一个 403 forbidden 错误下面的确切行。
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <Error>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <Type>Sender</Type>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <Code>AccessDenied</Code>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " </Error>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << " <RequestId>fe4edd9f-913e-11e6-85cd-45155b40299e</RequestId>[\n]"
用户角色的信任权限是:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxxxxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": [
"accounts.google.com",
"graph.facebook.com",
"authenticated"
]
}
}
}
]
}
其中 us-east-1:xxxxxxxxxxxxxxxx 是管理社交和认知用户池的用户身份池 ID。
我浏览了许多列出信任权限和 Cognito 用户池的此类博客以了解上述问题,但徒劳无功,如果有人能帮助我解决上述问题,我将不胜感激。
您没有在调用 GetId 时在登录映射中为您的用户池用户传递 ID 令牌。您需要使用包含 cognito-idp.us-east-1.amazonaws.com/us-east-1_your_user_pool_id[= 的地图在 GetIdRequest 上调用 setLogins 21=] 作为键,您的用户池用户的 id 令牌 作为值
由于您尚未通过此登录映射,因此您获得的身份是未经身份验证的身份,并且您在角色策略中只允许经过身份验证的用户。
另请参阅:GetId API