限制登录 Enterprise Google AWS Federated Identity Pool 域
Restrict login to Enterprise Google Domain for AWS Federated Identity Pool
我正在使用带有 aws-amplify (https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities) 的联合身份池,我想将域范围限制为我的 google 域组织(例如 johndoe@ foobar.com).
似乎没有办法在 Google API 控制台或 AWS Cognito 身份池设置上将其锁定,只是提示可以附加一个 hd 参数google 请求按域限制它(这仍然需要修改 aws-amplify 核心包),它仍然不安全,因为任何人都可以在没有 hd 的情况下发出相同的请求并获得对认知。
我的问题是:有没有办法限制 google oauth 密钥只允许 @foobar.com 电子邮件地址,或者使用 aws cognito 实施相同的限制?
我相信我找到了解决方案(从几个快速测试来看它似乎工作正常)
Don't try to control the hosted domain part via the Trust Relationship
in the Role.
Go to: Cognito / Edit Identity Pool / Authentication Providers
Select Google+
In "Authenticated role selection" select "Choose role with Rules"
Now require claim "hd" to be "equals" to <your-domain>
set "Role resolution" to "DENY"
来源:https://forums.aws.amazon.com/thread.jspa?messageID=527303
这是一个 cloudformation 堆栈,可一次性设置所有内容(身份池、角色等)。 您需要在所有标有 EDIT HERE:
注释的地方进行必要的调整。
AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"
Resources:
IdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: identity_pool_a
AllowUnauthenticatedIdentities: false
SupportedLoginProviders:
# EDIT HERE:
"accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"
IdentityForbiddenRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 3600
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: None
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Action: "*"
Resource: "*"
IdentityAllowedRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 3600
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: UserPermissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
# EDIT HERE:
Action: "s3:GetObject"
# EDIT HERE:
Resource: "arn:aws:s3:::my-bucket/*"
RoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
unauthenticated: !GetAtt IdentityForbiddenRole.Arn
authenticated: !GetAtt IdentityForbiddenRole.Arn
RoleMappings:
accounts.google.com:
AmbiguousRoleResolution: Deny
Type: Rules
RulesConfiguration:
Rules:
- Claim: hd
MatchType: Equals
# EDIT HERE:
Value: mydomain.com
RoleARN: !GetAtt IdentityAllowedRole.Arn
我正在使用带有 aws-amplify (https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities) 的联合身份池,我想将域范围限制为我的 google 域组织(例如 johndoe@ foobar.com).
似乎没有办法在 Google API 控制台或 AWS Cognito 身份池设置上将其锁定,只是提示可以附加一个 hd 参数google 请求按域限制它(这仍然需要修改 aws-amplify 核心包),它仍然不安全,因为任何人都可以在没有 hd 的情况下发出相同的请求并获得对认知。
我的问题是:有没有办法限制 google oauth 密钥只允许 @foobar.com 电子邮件地址,或者使用 aws cognito 实施相同的限制?
我相信我找到了解决方案(从几个快速测试来看它似乎工作正常)
Don't try to control the hosted domain part via the Trust Relationship in the Role.
Go to: Cognito / Edit Identity Pool / Authentication Providers
Select Google+
In "Authenticated role selection" select "Choose role with Rules"
Now require claim "hd" to be "equals" to
<your-domain>
set "Role resolution" to "DENY"
来源:https://forums.aws.amazon.com/thread.jspa?messageID=527303
这是一个 cloudformation 堆栈,可一次性设置所有内容(身份池、角色等)。 您需要在所有标有 EDIT HERE:
注释的地方进行必要的调整。
AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"
Resources:
IdentityPool:
Type: AWS::Cognito::IdentityPool
Properties:
IdentityPoolName: identity_pool_a
AllowUnauthenticatedIdentities: false
SupportedLoginProviders:
# EDIT HERE:
"accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"
IdentityForbiddenRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 3600
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: None
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Deny
Action: "*"
Resource: "*"
IdentityAllowedRole:
Type: AWS::IAM::Role
Properties:
MaxSessionDuration: 3600
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
ForAnyValue:StringLike:
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: UserPermissions
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
# EDIT HERE:
Action: "s3:GetObject"
# EDIT HERE:
Resource: "arn:aws:s3:::my-bucket/*"
RoleAttachment:
Type: AWS::Cognito::IdentityPoolRoleAttachment
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
unauthenticated: !GetAtt IdentityForbiddenRole.Arn
authenticated: !GetAtt IdentityForbiddenRole.Arn
RoleMappings:
accounts.google.com:
AmbiguousRoleResolution: Deny
Type: Rules
RulesConfiguration:
Rules:
- Claim: hd
MatchType: Equals
# EDIT HERE:
Value: mydomain.com
RoleARN: !GetAtt IdentityAllowedRole.Arn