时间戳

首页 > 解决方案 > 使用 Amazon Cognito 进行手动身份验证

amazon-web-services - 使用 Amazon Cognito 进行手动身份验证

问题描述

我知道以用户身份进行身份验证和获取的两种方法access token,一种是通过托管 UI,另一种是使用各种提供的 SDK

我正在寻找的是一个端点access token直接使用用户凭据获取。

POST https://that-special-endpoint.com/login
{
 username: "example@email.com",
 password: "Abc123456",
 ...client ID, etc.
}

我已经搜索了一段时间,但找不到如何做到这一点。由于一些我不知道的安全问题,这不可能吗?

我确实考虑过创建一个 Lambda API 并使用 Cognito SDK 来满足我的用例,但我不确定这是否可取......

标签: amazon-web-servicesaws-lambdaamazon-cognito

解决方案

类似的问题在这里得到了回答。您可以访问https://cognito-idp.[region].amazonaws.com/调用InitiateAuthRespondToAuthChallengeAPI。

发起验证

  1. 创建一个json文件,aws-auth-data.json
{
    "AuthParameters": {
        "USERNAME": "your-email@example.com",
        "PASSWORD": "your-first-password",
        "SECRET_HASH": "......(required if the app client is configured with a client secret)"
    },
    "AuthFlow": "USER_PASSWORD_AUTH",
    "ClientId": "5m........................"
}
  1. 发送请求https://cognito-idp.us-east-2.amazonaws.com/(如果用户池在us-east-2区域上)以调用InitiateAuthAPI 并启动身份验证流程。
curl -X POST --data @aws-auth-data.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.InitiateAuth' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/
  1. 然后你会得到用户的令牌。
{
    "AuthenticationResult": {
        "AccessToken": "eyJra........",
        "ExpiresIn": 3600,
        "IdToken": "eyJra........",
        "RefreshToken": "eyJjd........",
        "TokenType": "Bearer"
    },
    "ChallengeParameters": {}
}

响应身份验证挑战

您可能会收到挑战作为InitiateAuth回应。例如,当您第一次尝试“InitiateAuth”时,系统会要求您更改密码:

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ChallengeParameters": {
        "USER_ID_FOR_SRP": "abababab-......",
        "requiredAttributes": "[]",
        "userAttributes": "{\"email_verified\":\"true\",\"email\":\"your-email@example.com\"}"
    },
    "Session": "DNdY......"
}

在这种情况下,使用 更改密码,RespondToAuthChallenge您将获得令牌。

{
    "ChallengeName": "NEW_PASSWORD_REQUIRED",
    "ChallengeResponses": {
        "USERNAME": "your-email@example.com",
        "NEW_PASSWORD": "your-second-password"
    },
    "ClientId": "5m........................",
    "Session": "DNdYN...(what you got in the preceding response)"
}

curl -X POST --data @aws-change-password.json \
-H 'X-Amz-Target: AWSCognitoIdentityProviderService.RespondToAuthChallenge' \
-H 'Content-Type: application/x-amz-json-1.1' \
https://cognito-idp.us-east-2.amazonaws.com/

也可以看看:

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_RespondToAuthChallenge.html

https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-authentication-flow.html#amazon-cognito-user-pools-client-side-authentication-flow

推荐阅读