时间戳

首页 > 解决方案 > 使用无服务器在 AWS 中的不同 HTTP API 服务之间共享授权者

amazon-cognito - 使用无服务器在 AWS 中的不同 HTTP API 服务之间共享授权者

问题描述

我希望在使用 Serverless 的不同 HTTP API 服务之间共享一个授权方。我看到了不同的链接,这些链接解释了如何将不同的端点/服务拆分为具有自己的 serverless.yml 文件的单独持有者,但我找不到有关在这些之间共享授权方的信息。

我正在使用一个基本的 HTTP API 示例(不是 REST API 设置),如下所示:

org: orgexample
app: app-example
service: notes-api

plugins:
  - serverless-bundle

provider:
  name: aws
  runtime: nodejs12.x
  region: eu-west-2
  environment:
    DOMAIN_SUFFIX: notes-api
  httpApi:
    authorizers:
      serviceAuthorizer:
        identitySource: $request.header.Authorization
        issuerUrl:
          Fn::Join:
            - ""
            - - "https://cognito-idp."
              - "${opt:region, self:provider.region}"
              - ".amazonaws.com/"
              - Ref: serviceUserPool
        audience:
          - Ref: serviceUserPoolClient
functions:
  getProfileInfo:
    handler: main.get
    events:
      - httpApi:
          method: GET
          path: /user/profile
          authorizer: serviceAuthorizer
  createProfileInfo:
    handler: main.post
    events:
      - httpApi:
          method: POST
          path: /user/profile
          authorizer: serviceAuthorizer

resources:
  Resources:
    HttpApi:
      DependsOn: serviceUserPool
    serviceUserPool:
      Type: AWS::Cognito::UserPool
      Properties:
        UserPoolName: ${self:service}-user-pool-${opt:stage, self:provider.stage}
        UsernameAttributes:
          - email
        AutoVerifiedAttributes:
          - email
    serviceUserPoolClient:
      Type: AWS::Cognito::UserPoolClient
      Properties:
        ClientName: ${self:service}-user-pool-client-${opt:stage, self:provider.stage}
        AllowedOAuthFlows:
          - implicit
        AllowedOAuthFlowsUserPoolClient: true
        AllowedOAuthScopes:
          - phone
          - email
          - openid
          - profile
          - aws.cognito.signin.user.admin
        UserPoolId:
          Ref: serviceUserPool
        CallbackURLs:
          - https://localhost:3000
        ExplicitAuthFlows:
          - ALLOW_USER_SRP_AUTH
          - ALLOW_REFRESH_TOKEN_AUTH
        GenerateSecret: false
        SupportedIdentityProviders:
          - COGNITO
    serviceUserPoolDomain:
      Type: AWS::Cognito::UserPoolDomain
      Properties:
        UserPoolId:
          Ref: serviceUserPool
        Domain: ${self:service}-user-pool-domain-${opt:stage, self:provider.stage}-${self:provider.environment.DOMAIN_SUFFIX}

这将创建 HTTP API、API 网关并将其包装在 Cognito 授权方中。我想设置使用相同授权方的第二个服务。

我见过类似的问题,但没有一个与 HTTP API 和共享 Cognito Authorizer 有关。有用的链接:
https ://seed.run/blog/how-to-structure-a-real-world-monorepo-serverless-app.html 。
https://github.com/seed-run/serverless-template-monorepo

标签: amazon-cognitoserverless-frameworkserverlessaws-serverless

解决方案

尝试这个

httpApi:
    id: xxxx # Required

functions:
  createUser:
     ...
    events:
      - httpApi:
          path: /users
          ...
          authorizer:
            # Provide authorizerId
            id:
              Ref: ApiGatewayAuthorizer  # or hard-code Authorizer ID
            scopes: # Optional - List of Oauth2 scopes
              - myapp/myscope

推荐阅读