将 AWS Cognito 用户迁移到 Auth0

Migrate AWS Cognito users to Auth0

我想将所有现有用户从 AWS Cognito 池移动到 Auth0。如果必须更改密码,最好使用现有密码或即时迁移。我在网上看到用户指南将 Okta/Stormpath 等用户迁移到 auth0,但没有看到任何关于 cognito 到 autho 集成的信息。任何指针都会有所帮助。

有两种方法可以将用户导入 Auth0:

  1. Bulk Migration
  2. Automatic Migration(即延迟加载)

目前,确实没有简单的方法可以将用户从 AWS Cognito 中导出。即使你这样做了,导出的用户配置文件 所以它会要求用户在迁移到 Auth0 作为身份提供者后重置他们的帐户密码。不理想。所以批量迁移是不可能的。

相反,自动迁移可能是可行的方法。您必须在 Auth0 中 configure a Custom Database 并将其指向您的 AWS Cognito 用户池并定义两个脚本:一个用于 get 用户,另一个用于 login一个用户。

默认情况下,AWS 不会通过 API 公开这些端点,但它们在 amazon-cognito-identity-js npm 包中确实具有类似的功能(根据 场景 4 在文档中)。

感谢 @yvovandoorn for writing the javascript code,您可以在 Auth0 自定义数据库 get-userlogin 脚本中使用此 npm 包来执行自动迁移。只需确保在自定义数据库设置下将 将用户导入 Auth0 勾选为真。

get-user.js

/*
Requires Auth0 Global Variables to be set - https://auth0.com/docs/rules/configure-global-variables-for-rules
If testing locally (or not wanting to use Auth0 Global Variables):
const configuration = {
  "accessKeyId": "AKIAIBDT5G4M237CZSMQ",
  "secretAccessKey": "your-cognito-secret-access-key",
  "region": "eu-west-1",
  "UserPoolId": "eu-west-1_V69pvauTp"
*/

function getUser(username, callback) {
    const userParameters =  ["email", "email_verified", "custom:designation"];
    const AWS = require('aws-sdk@2.593.0');
    AWS.config.update({ "accessKeyId": configuration.accessKeyId, "secretAccessKey": configuration.secretAccessKey, "region": configuration.region });
    const cognito = new AWS.CognitoIdentityServiceProvider();

    cognito.adminGetUser({
        UserPoolId: configuration.UserPoolId,
        Username: username
    }, (err, data) => {
        if (err) {
            console.log(err);
            if (err.code === "UserNotFoundException") return callback(null);
            else callback(err);
        }
        else {
            console.log(data);
            if (data.code === "UserNotFoundException") return callback(null);
            else {
                let profile = {
                    "user_id": data.UserAttributes.find(item=>item.Name==="sub").Value,
                    "username": data.Username,
                };
                userParameters.forEach(customParameterName => {
                    profile[customParameterName] = data.UserAttributes.find(item=>item.Name===customParameterName).Value;
                });
                return callback(null, profile);
            }
        }

    });

}

login.js

/*
Read Whosebug article about potential window issue: 

Requires Auth0 Global Variables to be set - https://auth0.com/docs/rules/configure-global-variables-for-rules

If testing locally (or not wanting to use Auth0 Global Variables):
const configuration = {
  "ClientId": "nzHNdG0XGS4qSaS5p0EZZesoIO2xfKQDRMgWPoce",
  "UserPoolId": "eu-west-1_V69pvauTp"
*/

function login(username, password, callback) {
    global.fetch = require('node-fetch@2.6.0');
    var AmazonCognitoIdentity = require('amazon-cognito-identity-js@3.0.14');
    var poolData = {
        UserPoolId: configuration.UserPoolId,
        ClientId: configuration.ClientId

    };
    var userPool = new AmazonCognitoIdentity.CognitoUserPool(poolData);

    var authenticationDetails = new AmazonCognitoIdentity.AuthenticationDetails({
        Username: username,
        Password: password
    });
    var userData = {
        Username: username,
        Pool: userPool
    };
    var cognitoUser = new AmazonCognitoIdentity.CognitoUser(userData);
    cognitoUser.authenticateUser(authenticationDetails, {
        onSuccess: function (result) {
            //console.log(result);
            var idTokenPayload = result.getIdToken().payload;
            console.log(idTokenPayload);
            var profile = {
              user_id: idTokenPayload.sub,
              email: idTokenPayload.email,
              /* might want to set this to false if you're not validating email addresses */
              email_verified: true,
            };
            console.log({ result, idTokenPayload, profile });
            callback(null, profile);
        },
        onFailure: (function (err) {
            return callback(new WrongUsernameOrPasswordError(username))
        })
    });
}