AWS AppSync with Firebase 作为 OpenID Connect 提供商
AWS AppSync with Firebase as OpenID Connect provider
我想使用 firebase auth 来保护我的 AWS AppSync graphql api,而不是像 Cognito 这样的东西。这背后有几个原因,比如定价和我们已经在使用其他一些 firebase 服务。
我能看到 atm 的唯一可行解决方案是以某种方式将 firebase 用户令牌传递到我的 AppSync graphql api 并通过 OpenID Connect / OIDC 对其进行验证。
我无法弄清楚这个问题,也找不到关于该主题的任何指南,所以想在这里问问是否有可能,如果可以,是否可以提供任何示例或使用完整的参考资料?
以下是OpenID连接数据需要提供给AppSync的相关字段https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-appsync.OpenIdConnectConfig.html
Firebase 身份验证是否存在这些?
更新: 我找到了一些关于 firebase 令牌验证的文档 https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library
我相信以下 URL 是 AppSync 中需要用作 OpenID url 设置的内容 https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
但是 AppSync 文档指出他们将 /.well-known/openid-configuration 附加到这样的 url 并且当我对上面的 googleapis url 执行此操作时,它会抛出404.
AppSync 需要 OpenID Connect 提供程序 (OP)。更具体地说,它需要 OP 的发行人;其余的元数据是基于此检索的。来自 AppSync doc:
OPENID_CONNECT Authorization
This authorization type enforces OpenID Connect (OIDC) tokens provided by an OIDC-compliant service.
Your application can leverage users and privileges defined by your
OIDC provider for controlling access.
An Issuer URL is the only required configuration value that you
provide to AWS AppSync (for example, https://auth.example.com). This
URL must be addressable over HTTPS. AWS AppSync appends
/.well-known/openid-configuration to the issuer URL and locates the
OpenID configuration at
https://auth.example.com/.well-known/openid-configuration per the
OpenID Connect Discovery specification
Firebase(主要)是一个中间件。即使您可以将用户帐户驻留在 Firebase 中,但更典型的用例是将 Google 或 Microsoft 等提供商插入 Firebase。然后,您可以使用 Firebase API 执行各种操作,而无需了解底层提供程序的详细信息。
无论是充当中间件还是充当 Firebase 中用户的身份存储,尚不清楚 Firebase 是否是符合 OIDC 标准的提供商。 OpenID 发布 OIDC 一致性测试以及 entities that have been certified. The only Google entity on the latter list is a "Google Federated Identity". Certification aside, Firebase does issue a signed JWT that according to them 在道德上等同于 OIDC 中的 id_token:
ID token verification
If your Firebase client app communicates with
your backend server, you might need to identify the currently
signed-in user on your server so you can perform server-side logic on
their behalf. You can do this securely by using ID tokens, which are
created by Firebase when a user signs into an Firebase app.
ID tokens
conform to the OpenID Connect spec and contain data to identify a
user, as well as some other profile and authentication related
information. You can send, verify, and inspect these tokens from your
own backends. This allows you to securely identify the currently
signed in user and authorize them into your own backend resources.
如果您创建一个 Firebase 项目,然后通过该项目进行身份验证并检查颁发的令牌,您将在令牌负载中看到 iss(颁发者)密钥。它的值为 https://securetoken.google.com/<Firebase projectId>,这是 AppSync 所需的 URL。
您可以通过连接 /.well-known/openid-configuration 和 https://securetoken.google.com/<Firebase projectId> 并在结果 URL 上执行 GET 来确认 OIDC 元数据可用。预期的响应应如下所示:
{
"issuer": "https://securetoken.google.com/<Firebase project id>",
"jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}
我想使用 firebase auth 来保护我的 AWS AppSync graphql api,而不是像 Cognito 这样的东西。这背后有几个原因,比如定价和我们已经在使用其他一些 firebase 服务。
我能看到 atm 的唯一可行解决方案是以某种方式将 firebase 用户令牌传递到我的 AppSync graphql api 并通过 OpenID Connect / OIDC 对其进行验证。
我无法弄清楚这个问题,也找不到关于该主题的任何指南,所以想在这里问问是否有可能,如果可以,是否可以提供任何示例或使用完整的参考资料?
以下是OpenID连接数据需要提供给AppSync的相关字段https://docs.aws.amazon.com/cdk/api/latest/docs/@aws-cdk_aws-appsync.OpenIdConnectConfig.html
Firebase 身份验证是否存在这些?
更新: 我找到了一些关于 firebase 令牌验证的文档 https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library
我相信以下 URL 是 AppSync 中需要用作 OpenID url 设置的内容 https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com
但是 AppSync 文档指出他们将 /.well-known/openid-configuration 附加到这样的 url 并且当我对上面的 googleapis url 执行此操作时,它会抛出404.
AppSync 需要 OpenID Connect 提供程序 (OP)。更具体地说,它需要 OP 的发行人;其余的元数据是基于此检索的。来自 AppSync doc:
OPENID_CONNECT Authorization
This authorization type enforces OpenID Connect (OIDC) tokens provided by an OIDC-compliant service. Your application can leverage users and privileges defined by your OIDC provider for controlling access.
An
IssuerURL is the only required configuration value that you provide to AWS AppSync (for example,https://auth.example.com). This URL must be addressable over HTTPS. AWS AppSync appends/.well-known/openid-configurationto the issuer URL and locates the OpenID configuration athttps://auth.example.com/.well-known/openid-configurationper the OpenID Connect Discovery specification
Firebase(主要)是一个中间件。即使您可以将用户帐户驻留在 Firebase 中,但更典型的用例是将 Google 或 Microsoft 等提供商插入 Firebase。然后,您可以使用 Firebase API 执行各种操作,而无需了解底层提供程序的详细信息。
无论是充当中间件还是充当 Firebase 中用户的身份存储,尚不清楚 Firebase 是否是符合 OIDC 标准的提供商。 OpenID 发布 OIDC 一致性测试以及 entities that have been certified. The only Google entity on the latter list is a "Google Federated Identity". Certification aside, Firebase does issue a signed JWT that according to them 在道德上等同于 OIDC 中的 id_token:
ID token verification
If your Firebase client app communicates with your backend server, you might need to identify the currently signed-in user on your server so you can perform server-side logic on their behalf. You can do this securely by using ID tokens, which are created by Firebase when a user signs into an Firebase app.
ID tokens conform to the OpenID Connect spec and contain data to identify a user, as well as some other profile and authentication related information. You can send, verify, and inspect these tokens from your own backends. This allows you to securely identify the currently signed in user and authorize them into your own backend resources.
如果您创建一个 Firebase 项目,然后通过该项目进行身份验证并检查颁发的令牌,您将在令牌负载中看到 iss(颁发者)密钥。它的值为 https://securetoken.google.com/<Firebase projectId>,这是 AppSync 所需的 URL。
您可以通过连接 /.well-known/openid-configuration 和 https://securetoken.google.com/<Firebase projectId> 并在结果 URL 上执行 GET 来确认 OIDC 元数据可用。预期的响应应如下所示:
{
"issuer": "https://securetoken.google.com/<Firebase project id>",
"jwks_uri": "https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com",
"response_types_supported": [
"id_token"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
]
}