AWS Cognito 外部用户池身份提供商 (OIDC)
AWS Cognito External User Pool Identity Provider(OIDC)
我正在使用与外部提供商 (Twitch) 集成的 Cognito App Client
用户身份验证工作正常,但由于来自 auth 服务器的代码被 Cognito 使用,我不确定我应该如何发送带有令牌的 Twitch 请求,我通常会从 twitch 获得我 Cognito 不会使用此代码。我只有 Cognito 代码,我可以在 https://{my-domain}/oauth2/token 请求中使用它来换取 Cognito 令牌。请求 returns id_token、access_token 和 refresh_token,解码后的样子
ID令牌
{
"at_hash": "yTNkeTAqzqcXCYi3yLL2Pw",
"sub": "3cfba641-4058-475f-9818-17291175fd31",
"cognito:groups": [
"us-east-1_xxxxxxxxxxxx"
],
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
"cognito:username": "xxxxxxxxxxxx",
"preferred_username": "xxxxxxxxxxxx",
"nonce": "SxxlipCDVbXbcXa1H7Uf9_nM0uOurAAObUVCyreBDDux99QoAngUoiGdE0me-0Zon6fEVLLTSqD4EN1Y6_lFm48MaoBaxyywZCQKOT70gfQEfkuhlsjImJd1ko3qH3QKdlmvWSPCUZoACPYNSgR364VPELyQTVMkRTCt9eYROag",
"aud": "35l1cn53cnj9sv1ndu8u01amk0",
"identities": [
{
"userId": "xxxxxxxxxxxx",
"providerName": "xxxxxxxxxxxx",
"providerType": "OIDC",
"issuer": null,
"primary": "true",
"dateCreated": "1588191000072"
}
],
"token_use": "id",
"auth_time": 1588191003,
"exp": 1588194603,
"iat": 1588191003
}
访问令牌
{
"sub": "3cfba641-4058-475f-9818-17291175fd31",
"cognito:groups": [
"us-east-1_xxxxxxxxxxxx"
],
"token_use": "access",
"scope": "aws.cognito.signin.user.admin phone openid profile email",
"auth_time": 1588191003,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
"exp": 1588194603,
"iat": 1588191003,
"version": 2,
"jti": "55863213-c764-4b07-a386-a9c93d14e4b2",
"client_id": "xxxxxxxxxxxx",
"username": "xxxxxxxxxxxx"
}
如何获取用户令牌以调用 Twitch API(例如 GET https://api.twitch.tv/helix/users 具有授权用户令牌的端点)
注意 - 如果操作不当,您会将敏感属性暴露给客户端。
您需要创建 2 个版本的属性 - custom 和 dev:custom,将 oidc 提供程序属性映射到 custom 属性(看起来 dev:custom 不可映射) ,然后在 TokenGeneration_HostedAuth 触发器中你需要获取这些 custom 属性,设置 dev:custom 个,然后删除 custom 个。
似乎是一个调整,但我没有看到另一种方法来做到这一点并保持令牌安全。
解决方案是在您的用户池中创建自定义属性,然后为身份提供者映射这些属性。看起来像:
'custom:refresh_token': refresh_token
'custom:id_token': id_token
'custom:access_token': access_token
Cloudformation 模板:
用户池
....
Schema: [
{
AttributeDataType: 'String',
DeveloperOnlyAttribute: true,
Mutable: true,
Name: 'refresh_token',
Required: false,
},
{
AttributeDataType: 'String',
DeveloperOnlyAttribute: true,
Mutable: true,
Name: 'access_token',
Required: false,
},
{
AttributeDataType: 'String',
DeveloperOnlyAttribute: true,
Mutable: true,
Name: 'id_token',
Required: false,
},
{
AttributeDataType: 'String',
Mutable: true,
Name: 'refresh_token',
Required: false,
},
{
AttributeDataType: 'String',
Mutable: true,
Name: 'access_token',
Required: false,
},
{
AttributeDataType: 'String',
Mutable: true,
Name: 'id_token',
Required: false,
},
],
....
用户池身份提供商
....
AttributeMapping: {
'custom:refresh_token': 'refresh_token',
'custom:access_token': 'access_token',
'custom:id_token': 'id_token',
},
....
我正在使用与外部提供商 (Twitch) 集成的 Cognito App Client 用户身份验证工作正常,但由于来自 auth 服务器的代码被 Cognito 使用,我不确定我应该如何发送带有令牌的 Twitch 请求,我通常会从 twitch 获得我 Cognito 不会使用此代码。我只有 Cognito 代码,我可以在 https://{my-domain}/oauth2/token 请求中使用它来换取 Cognito 令牌。请求 returns id_token、access_token 和 refresh_token,解码后的样子 ID令牌
{
"at_hash": "yTNkeTAqzqcXCYi3yLL2Pw",
"sub": "3cfba641-4058-475f-9818-17291175fd31",
"cognito:groups": [
"us-east-1_xxxxxxxxxxxx"
],
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
"cognito:username": "xxxxxxxxxxxx",
"preferred_username": "xxxxxxxxxxxx",
"nonce": "SxxlipCDVbXbcXa1H7Uf9_nM0uOurAAObUVCyreBDDux99QoAngUoiGdE0me-0Zon6fEVLLTSqD4EN1Y6_lFm48MaoBaxyywZCQKOT70gfQEfkuhlsjImJd1ko3qH3QKdlmvWSPCUZoACPYNSgR364VPELyQTVMkRTCt9eYROag",
"aud": "35l1cn53cnj9sv1ndu8u01amk0",
"identities": [
{
"userId": "xxxxxxxxxxxx",
"providerName": "xxxxxxxxxxxx",
"providerType": "OIDC",
"issuer": null,
"primary": "true",
"dateCreated": "1588191000072"
}
],
"token_use": "id",
"auth_time": 1588191003,
"exp": 1588194603,
"iat": 1588191003
}
访问令牌
{
"sub": "3cfba641-4058-475f-9818-17291175fd31",
"cognito:groups": [
"us-east-1_xxxxxxxxxxxx"
],
"token_use": "access",
"scope": "aws.cognito.signin.user.admin phone openid profile email",
"auth_time": 1588191003,
"iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
"exp": 1588194603,
"iat": 1588191003,
"version": 2,
"jti": "55863213-c764-4b07-a386-a9c93d14e4b2",
"client_id": "xxxxxxxxxxxx",
"username": "xxxxxxxxxxxx"
}
如何获取用户令牌以调用 Twitch API(例如 GET https://api.twitch.tv/helix/users 具有授权用户令牌的端点)
注意 - 如果操作不当,您会将敏感属性暴露给客户端。
您需要创建 2 个版本的属性 - custom 和 dev:custom,将 oidc 提供程序属性映射到 custom 属性(看起来 dev:custom 不可映射) ,然后在 TokenGeneration_HostedAuth 触发器中你需要获取这些 custom 属性,设置 dev:custom 个,然后删除 custom 个。
似乎是一个调整,但我没有看到另一种方法来做到这一点并保持令牌安全。
解决方案是在您的用户池中创建自定义属性,然后为身份提供者映射这些属性。看起来像:
'custom:refresh_token': refresh_token
'custom:id_token': id_token
'custom:access_token': access_token
Cloudformation 模板:
用户池
....
Schema: [
{
AttributeDataType: 'String',
DeveloperOnlyAttribute: true,
Mutable: true,
Name: 'refresh_token',
Required: false,
},
{
AttributeDataType: 'String',
DeveloperOnlyAttribute: true,
Mutable: true,
Name: 'access_token',
Required: false,
},
{
AttributeDataType: 'String',
DeveloperOnlyAttribute: true,
Mutable: true,
Name: 'id_token',
Required: false,
},
{
AttributeDataType: 'String',
Mutable: true,
Name: 'refresh_token',
Required: false,
},
{
AttributeDataType: 'String',
Mutable: true,
Name: 'access_token',
Required: false,
},
{
AttributeDataType: 'String',
Mutable: true,
Name: 'id_token',
Required: false,
},
],
....
用户池身份提供商
....
AttributeMapping: {
'custom:refresh_token': 'refresh_token',
'custom:access_token': 'access_token',
'custom:id_token': 'id_token',
},
....