时间戳

首页 > 解决方案 > 限制登录到 AWS 联合身份池的企业 Google 域

amazon-web-services - 限制登录到 AWS 联合身份池的企业 Google 域

问题描述

我正在使用带有 aws-amplify ( https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities ) 的联合身份池,并且我想将域的范围限制为我的 google 域组织(例如 johndoe@foobar.com)。

似乎没有办法将其锁定在 Google API 控制台或 AWS Cognito 身份池设置中,只是提示可以将 hd 参数附加到 google 请求以按域限制它(仍然需要修改 aws-amplify 核心包),它仍然不安全,因为任何人都可以在没有 hd 的情况下发出相同的请求并获得对 cognito 的访问权限。

我的问题是:有没有办法将 google oauth 密钥限制为仅允许 @foobar.com 电子邮件地址,或者使用 aws cognito 实施相同的限制?

标签: amazon-web-servicesgoogle-oauthamazon-cognitoaws-amplifygoogle-domain-api

解决方案

我相信我找到了解决方案(通过几次快速测试,它似乎工作正常)

不要试图通过角色中的信任关系来控制托管域部分。

  • 转到:Cognito / 编辑身份池 / 身份验证提供程序

  • 选择谷歌+

  • 在“经过身份验证的角色选择”中选择“使用规则选择角色”

  • 现在要求声明“hd”“等于”<your-domain>

  • 将“角色解析”设置为“拒绝”

来源:https ://forums.aws.amazon.com/thread.jspa?messageID=527303

这是一个 cloudformation 堆栈,可以一次性设置所有内容(身份池、角色等)。您需要在所有标有注释的地方进行必要的调整。EDIT HERE:

AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"


Resources:
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: identity_pool_a
      AllowUnauthenticatedIdentities: false
      SupportedLoginProviders: 
        # EDIT HERE:
        "accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"

  IdentityForbiddenRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow 
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: None
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Deny
                Action: "*"
                Resource: "*"

  IdentityAllowedRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: UserPermissions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                # EDIT HERE:
                Action: "s3:GetObject"
                # EDIT HERE:
                Resource: "arn:aws:s3:::my-bucket/*"

  RoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles: 
        unauthenticated: !GetAtt IdentityForbiddenRole.Arn
        authenticated: !GetAtt IdentityForbiddenRole.Arn
      RoleMappings: 
        accounts.google.com:
          AmbiguousRoleResolution: Deny
          Type: Rules
          RulesConfiguration:
            Rules:
              - Claim: hd
                MatchType: Equals
                # EDIT HERE:
                Value: mydomain.com
                RoleARN: !GetAtt IdentityAllowedRole.Arn

推荐阅读