Cognito 用户池作为具有客户端凭据的身份提供者仅在保存在 aws 控制台后才有效
Cognito Userpool as identy provider with client credentials works only after saving in aws console
我正在使用无服务器框架在 aws 中部署无服务器应用程序。我正在使用认知用户池和客户端凭据身份验证设置 AUTH2。
部署后它不起作用,当我通过邮递员请求新令牌时,我收到错误授权无效。
当我登录到 aws 控制台时,打开 cognito 应用程序客户端页面(刷新页面)并单击“保存”按钮(不更改任何内容),它起作用了。我可以请求作为访问令牌并可以登录到我的应用程序。
它会一直工作到我的下一次部署,所以自动部署是不可能的。可能是什么原因?当我点击保存按钮时会发生什么?
这是我的部署代码
resources:
资源:
UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
UserPoolId:
Ref: CognitoUserPool
Domain: "myapp-user-pool-domain"
CognitoUserPool:
Type: "AWS::Cognito::UserPool"
Properties:
MfaConfiguration: OFF
UserPoolName: myapp-user-pool
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
UsernameAttributes:
- email
CognitoUserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: myapp-user-pool-client
GenerateSecret: True
UserPoolId:
Ref: CognitoUserPool
AllowedOAuthFlows: [ "client_credentials"]
ExplicitAuthFlows: ["ALLOW_USER_PASSWORD_AUTH","ALLOW_REFRESH_TOKEN_AUTH" ]
SupportedIdentityProviders: [ "COGNITO" ]
AllowedOAuthScopes: [ "myapp/odata4","myapp/trigger" ]
PreventUserExistenceErrors: ENABLED
ApiGatewayAuthorizer:
DependsOn:
- ApiGatewayRestApi
Type: AWS::ApiGateway::Authorizer
Properties:
Name: cognito-authorizer
IdentitySource: method.request.header.Authorization
RestApiId:
Ref: ApiGatewayRestApi
Type: COGNITO_USER_POOLS
ProviderARNs:
- Fn::GetAtt: [ CognitoUserPool, Arn ]
UserPoolResourceServer:
Type: AWS::Cognito::UserPoolResourceServer
Properties:
UserPoolId:
Ref: CognitoUserPool
Identifier: "myapp"
Name: "myapp"
Scopes:
- ScopeName: "results"
ScopeDescription: "provides myapp results"
- ScopeName: "trigger"
ScopeDescription: "trigger for myapp start"
谁能帮忙?
谢谢
必须将以下行添加到 CognitoUserPoolClient:AllowedOAuthFlowsUserPoolClient: True。然后就可以了。
我正在使用无服务器框架在 aws 中部署无服务器应用程序。我正在使用认知用户池和客户端凭据身份验证设置 AUTH2。 部署后它不起作用,当我通过邮递员请求新令牌时,我收到错误授权无效。 当我登录到 aws 控制台时,打开 cognito 应用程序客户端页面(刷新页面)并单击“保存”按钮(不更改任何内容),它起作用了。我可以请求作为访问令牌并可以登录到我的应用程序。 它会一直工作到我的下一次部署,所以自动部署是不可能的。可能是什么原因?当我点击保存按钮时会发生什么? 这是我的部署代码
resources:
资源:
UserPoolDomain:
Type: AWS::Cognito::UserPoolDomain
Properties:
UserPoolId:
Ref: CognitoUserPool
Domain: "myapp-user-pool-domain"
CognitoUserPool:
Type: "AWS::Cognito::UserPool"
Properties:
MfaConfiguration: OFF
UserPoolName: myapp-user-pool
AdminCreateUserConfig:
AllowAdminCreateUserOnly: true
UsernameAttributes:
- email
CognitoUserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: myapp-user-pool-client
GenerateSecret: True
UserPoolId:
Ref: CognitoUserPool
AllowedOAuthFlows: [ "client_credentials"]
ExplicitAuthFlows: ["ALLOW_USER_PASSWORD_AUTH","ALLOW_REFRESH_TOKEN_AUTH" ]
SupportedIdentityProviders: [ "COGNITO" ]
AllowedOAuthScopes: [ "myapp/odata4","myapp/trigger" ]
PreventUserExistenceErrors: ENABLED
ApiGatewayAuthorizer:
DependsOn:
- ApiGatewayRestApi
Type: AWS::ApiGateway::Authorizer
Properties:
Name: cognito-authorizer
IdentitySource: method.request.header.Authorization
RestApiId:
Ref: ApiGatewayRestApi
Type: COGNITO_USER_POOLS
ProviderARNs:
- Fn::GetAtt: [ CognitoUserPool, Arn ]
UserPoolResourceServer:
Type: AWS::Cognito::UserPoolResourceServer
Properties:
UserPoolId:
Ref: CognitoUserPool
Identifier: "myapp"
Name: "myapp"
Scopes:
- ScopeName: "results"
ScopeDescription: "provides myapp results"
- ScopeName: "trigger"
ScopeDescription: "trigger for myapp start"
谁能帮忙? 谢谢
必须将以下行添加到 CognitoUserPoolClient:AllowedOAuthFlowsUserPoolClient: True。然后就可以了。