如何将用户添加到 AWS Cognito 用户池组中?
How to add a user into a AWS Cognito userpool group?
我正在使用 AWS Cognito 在我的 iOS APP (Swift) 中实现用户注册和登录。
当用户注册时,我想将该用户添加到已在我的 Cognito 用户池中创建的指定用户池组中。
我试过下面的 swift 代码,但它似乎不起作用。
用户注册后,他或她按下[addToGroup]按钮加入名为[GroupA]的用户池组。
@IBAction func addToGroupButton(_ sender: Any) {
let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "ap-northeast-1_8H0k*****"
request?.username = eMailAdd
let identityProvider = AWSCognitoIdentityProvider()
identityProvider.adminAddUser(toGroup: request!).continueWith { (task) -> Any? in
DispatchQueue.main.async(execute: {
if let error = task.error {
print("\(error.localizedDescription)")
}
})
}
}
用户注册没有问题,我可以确认用户注册的信息。
但是,用户名没有出现在 GroupA 中。
有人能告诉我我的代码有什么问题吗??
谢谢!
我假设您遇到了一些错误,例如 AWSCognitoIdentityProviderErrorNotAuthorized。因为这是一个 'admin' API 调用,'Requires developer credentials' 如此处所建议 [0].
我建议您对您的凭据进行硬编码,以测试此 API 调用是否首先有效
AWSStaticCredentialsProvider *credentialsProvider = [AWSStaticCredentialsProvider credentialsWithAccessKey:"your-access-key" secretKey:"your-secret-key"];
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
请注意不要在您的生产环境中对您的凭据进行硬编码。
21/07/2019 更新:
let staticCredentialProvider = AWSStaticCredentialsProvider.init(accessKey: "yourAccessKey", secretKey: "yourSecretKey")
let configuration = AWSServiceConfiguration.init(region: .APSoutheast2, credentialsProvider: staticCredentialProvider)
AWSServiceManager.default()?.defaultServiceConfiguration = configuration
let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "ap-southeast-2_xxxxxxxxx"
request?.username = "yourUserName"
AWSCognitoIdentityProvider.default().adminAddUser(toGroup: request!).continueWith { (task) -> Any? in
DispatchQueue.main.async(execute: {
if let error = task.error {
print("\(error.localizedDescription)")
}
})
}
我已经测试过了,上面的代码在我的测试环境下是可以运行的。我列在这里供大家参考。下一步将尝试从代码库中删除硬编码凭证。可以使用 Cognito 身份池获取临时凭证,而不是使用 AWSStaticCredentialsProvider。我估计如果有足够的许可,这个流程可以在没有开发人员证书的情况下工作。
26/07/2019 更新:
// using Cognito userpool with identity pool, to provider credential to AWSServiceManager
let serviceConfiguration = AWSServiceConfiguration(region: .APSoutheast2, credentialsProvider: nil)
let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: "YourUserPoolClientId", clientSecret: "YourUserPoolClientSecret", poolId: "YourUserPoolId")
AWSCognitoIdentityUserPool.register(with: serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: "RandomStringForIdentifyingYourPoolWithinThisApp")
let pool = AWSCognitoIdentityUserPool(forKey: "RandomStringForIdentifyingYourPoolWithinThisApp")
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .APSoutheast2, identityPoolId: "YourIdentityPoolId", identityProviderManager:pool)
let configuration = AWSServiceConfiguration.init(region: .APSoutheast2, credentialsProvider: credentialsProvider)
AWSServiceManager.default()?.defaultServiceConfiguration = configuration
// sign in a user
pool.getUser("UserNameOfAUserInYourPool").getSession("UserNameOfAUserInYourPool", password: "PasswordOfAUserInYourPool", validationData: nil).continueWith { (task) -> Any? in
if let error = task.error {
print("user sign in error: \(error.localizedDescription)")
} else {
print("user session is: \(String(describing: task.result))")
}
// add a user to GroupA
let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "YourUserPoolId"
request?.username = "UserNameOfAUserInYourPool"
return AWSCognitoIdentityProvider.default().adminAddUser(toGroup: request!)
}.continueWith { (task) -> Any? in
if let error = task.error {
print("cannot add user to group \(error.localizedDescription)")
}
}
就像我建议的那样,这是没有硬编码 AWS 凭证的解决方案。 Cognito 身份池在用户登录到 Cognito 用户池 [3] 后提供温度 AWS 凭证,从而启用 'adminAddToGroup' API 调用。
除了上述代码,您还需要在 AWS 控制台或使用 AWS CLI 上设置您的 Cognito 身份池。您可以在屏幕截图中找到详细信息。
您还需要为经过身份验证的用户创建一个身份验证 IAM 角色。这是策略示例。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:AdminAddUserToGroup"
],
"Resource": "Your_userpool_ARN"
}
]
}
参考:
[0]https://aws-amplify.github.io/aws-sdk-ios/docs/reference/Classes/AWSCognitoIdentityProvider.html#//api/name/adminAddUserToGroup:
[2]https://aws.amazon.com/blogs/mobile/how-amazon-cognito-keeps-mobile-app-users-data-safe/
[3]https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html
我正在使用 AWS Cognito 在我的 iOS APP (Swift) 中实现用户注册和登录。
当用户注册时,我想将该用户添加到已在我的 Cognito 用户池中创建的指定用户池组中。
我试过下面的 swift 代码,但它似乎不起作用。
用户注册后,他或她按下[addToGroup]按钮加入名为[GroupA]的用户池组。
@IBAction func addToGroupButton(_ sender: Any) {
let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "ap-northeast-1_8H0k*****"
request?.username = eMailAdd
let identityProvider = AWSCognitoIdentityProvider()
identityProvider.adminAddUser(toGroup: request!).continueWith { (task) -> Any? in
DispatchQueue.main.async(execute: {
if let error = task.error {
print("\(error.localizedDescription)")
}
})
}
}
用户注册没有问题,我可以确认用户注册的信息。 但是,用户名没有出现在 GroupA 中。
有人能告诉我我的代码有什么问题吗?? 谢谢!
我假设您遇到了一些错误,例如 AWSCognitoIdentityProviderErrorNotAuthorized。因为这是一个 'admin' API 调用,'Requires developer credentials' 如此处所建议 [0].
我建议您对您的凭据进行硬编码,以测试此 API 调用是否首先有效
AWSStaticCredentialsProvider *credentialsProvider = [AWSStaticCredentialsProvider credentialsWithAccessKey:"your-access-key" secretKey:"your-secret-key"];
AWSServiceConfiguration *configuration = [AWSServiceConfiguration configurationWithRegion:AWSRegionUSEast1 credentialsProvider:credentialsProvider];
[AWSServiceManager defaultServiceManager].defaultServiceConfiguration = configuration;
请注意不要在您的生产环境中对您的凭据进行硬编码。
21/07/2019 更新:
let staticCredentialProvider = AWSStaticCredentialsProvider.init(accessKey: "yourAccessKey", secretKey: "yourSecretKey")
let configuration = AWSServiceConfiguration.init(region: .APSoutheast2, credentialsProvider: staticCredentialProvider)
AWSServiceManager.default()?.defaultServiceConfiguration = configuration
let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "ap-southeast-2_xxxxxxxxx"
request?.username = "yourUserName"
AWSCognitoIdentityProvider.default().adminAddUser(toGroup: request!).continueWith { (task) -> Any? in
DispatchQueue.main.async(execute: {
if let error = task.error {
print("\(error.localizedDescription)")
}
})
}
我已经测试过了,上面的代码在我的测试环境下是可以运行的。我列在这里供大家参考。下一步将尝试从代码库中删除硬编码凭证。可以使用 Cognito 身份池获取临时凭证,而不是使用 AWSStaticCredentialsProvider。我估计如果有足够的许可,这个流程可以在没有开发人员证书的情况下工作。
26/07/2019 更新:
// using Cognito userpool with identity pool, to provider credential to AWSServiceManager
let serviceConfiguration = AWSServiceConfiguration(region: .APSoutheast2, credentialsProvider: nil)
let userPoolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: "YourUserPoolClientId", clientSecret: "YourUserPoolClientSecret", poolId: "YourUserPoolId")
AWSCognitoIdentityUserPool.register(with: serviceConfiguration, userPoolConfiguration: userPoolConfiguration, forKey: "RandomStringForIdentifyingYourPoolWithinThisApp")
let pool = AWSCognitoIdentityUserPool(forKey: "RandomStringForIdentifyingYourPoolWithinThisApp")
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .APSoutheast2, identityPoolId: "YourIdentityPoolId", identityProviderManager:pool)
let configuration = AWSServiceConfiguration.init(region: .APSoutheast2, credentialsProvider: credentialsProvider)
AWSServiceManager.default()?.defaultServiceConfiguration = configuration
// sign in a user
pool.getUser("UserNameOfAUserInYourPool").getSession("UserNameOfAUserInYourPool", password: "PasswordOfAUserInYourPool", validationData: nil).continueWith { (task) -> Any? in
if let error = task.error {
print("user sign in error: \(error.localizedDescription)")
} else {
print("user session is: \(String(describing: task.result))")
}
// add a user to GroupA
let request = AWSCognitoIdentityProviderAdminAddUserToGroupRequest()
request?.groupName = "GroupA"
request?.userPoolId = "YourUserPoolId"
request?.username = "UserNameOfAUserInYourPool"
return AWSCognitoIdentityProvider.default().adminAddUser(toGroup: request!)
}.continueWith { (task) -> Any? in
if let error = task.error {
print("cannot add user to group \(error.localizedDescription)")
}
}
就像我建议的那样,这是没有硬编码 AWS 凭证的解决方案。 Cognito 身份池在用户登录到 Cognito 用户池 [3] 后提供温度 AWS 凭证,从而启用 'adminAddToGroup' API 调用。
除了上述代码,您还需要在 AWS 控制台或使用 AWS CLI 上设置您的 Cognito 身份池。您可以在屏幕截图中找到详细信息。
您还需要为经过身份验证的用户创建一个身份验证 IAM 角色。这是策略示例。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cognito-idp:AdminRemoveUserFromGroup",
"cognito-idp:AdminAddUserToGroup"
],
"Resource": "Your_userpool_ARN"
}
]
}
参考: [0]https://aws-amplify.github.io/aws-sdk-ios/docs/reference/Classes/AWSCognitoIdentityProvider.html#//api/name/adminAddUserToGroup: [2]https://aws.amazon.com/blogs/mobile/how-amazon-cognito-keeps-mobile-app-users-data-safe/ [3]https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html