Java:未授权执行sts:AssumeRoleWithWebIdentity cognito用户池

时间:2016-10-13 13:04:28

标签: java amazon-web-services amazon-iam amazon-cognito

我正在使用AWS Cogito服务使用AWS Java SDK从Cognito获取用户凭据。

我跟着 https://mobile.awsblog.com/post/TxBVEDL5Z8JKAC/Use-Amazon-Cognito-in-your-website-for-simple-AWS-authentication编写代码以使用cognito用户池对用户进行身份验证。

在编写代码之前,我配置了cognito用户池,并使用以下池配置字段将其命名为demo。

Pool Id us-east-1_GUbY6qQ1v
Pool ARN arn:aws:cognito-idp:us-east-1:049428796662:userpool/us-east-1_GUbY6qQ1v

我使用上面创建的标识池来满足联合身份池,如附图所示。Federated Identities User Pool

现在回到代码中,我编写了以下函数来检索用户身份并对其进行缓存,以便在相同身份登录时,不会重复调用GetID()函数。

public UserIdentity getUserIdentity(User user) throws AuthorizationException {
if (user == null || user.getUsername() == null || user.getUsername().trim().equals("")) {
  throw new AuthorizationException("Invalid user");
}
AmazonCognitoIdentity identityClient = new AmazonCognitoIdentityClient(new AnonymousAWSCredentials());

GetIdRequest idRequest = new GetIdRequest();
idRequest.setAccountId(CognitoConfiguration.AWS_ACCOUNT_ID);
idRequest.setIdentityPoolId(CognitoConfiguration.IDENTITY_POOL_ID);

GetIdResult idResp = identityClient.getId(idRequest);

if (idResp == null) {
  throw new AuthorizationException("Empty GetOpenIdToken response");
}

GetOpenIdTokenRequest tokenRequest = new GetOpenIdTokenRequest();
tokenRequest.setIdentityId(idResp.getIdentityId());

GetOpenIdTokenResult tokenResp = identityClient.getOpenIdToken(tokenRequest);
UserIdentity identity = new UserIdentity();
identity.setIdentityId(idResp.getIdentityId());
identity.setOpenIdToken(tokenResp.getToken());
return identity;

}

用户类包含带有getOpenIdToken的字段标识,然后在从cognito请求凭据时检索此标记。

public AWSSessionCredentials getUserCredentials(User user) throws AuthorizationException {
if (user == null || user.getCognitoIdentityId() == null || user.getCognitoIdentityId().trim().equals("")) {
  throw new AuthorizationException("Invalid user");
}

AWSSecurityTokenService stsClient = new AWSSecurityTokenServiceClient(new AnonymousAWSCredentials());
AssumeRoleWithWebIdentityRequest stsReq = new AssumeRoleWithWebIdentityRequest();
stsReq.setRoleArn(user.getUserRole());
System.out.println("The received get open id token is: " + user.getIdentity().getOpenIdToken());
stsReq.setWebIdentityToken(user.getIdentity().getOpenIdToken());
stsReq.setRoleSessionName("FassetTestSession");

AssumeRoleWithWebIdentityResult stsResp = stsClient.assumeRoleWithWebIdentity(stsReq);
Credentials stsCredentials = stsResp.getCredentials();

// Create the session credentials object
AWSSessionCredentials sessionCredentials = new BasicSessionCredentials(
    stsCredentials.getAccessKeyId(),
    stsCredentials.getSecretAccessKey(),
    stsCredentials.getSessionToken()
);
// save the timeout for these credentials 
Date sessionCredentialsExpiration = stsCredentials.getExpiration();
return sessionCredentials;

}

用户类的相关部分如下所示。

public class User {
  private UserIdentity identity;
  public String getCognitoIdentityId() {
    if (this.identity == null) {
      return null;
    }
    return this.identity.getIdentityId();
  }

  public void setCognitoIdentityId(String cognitoIdentityId) {
    if (this.identity == null) {
      this.identity = new UserIdentity();
    }
    this.identity.setIdentityId(cognitoIdentityId);
  }

}

行AssumeRoleWithWebIdentityResult stsResp = stsClient.assumeRoleWithWebIdentity(stsReq),使用下面的确切行返回 403禁止 错误。

    2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "<ErrorResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "  <Error>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "    <Type>Sender</Type>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "    <Code>AccessDenied</Code>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "    <Message>Not authorized to perform sts:AssumeRoleWithWebIdentity</Message>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "  </Error>[\n]"
2016-10-13 17:47:02,330 DEBUG [wire(wire:72)] http-outgoing-4 << "  <RequestId>fe4edd9f-913e-11e6-85cd-45155b40299e</RequestId>[\n]"

用户角色的信任权限是:

   {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxxxxxxxxxx"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": [
            "accounts.google.com",
            "graph.facebook.com",
            "authenticated"
          ]
        }
      }
    }
  ]
}

其中 us-east-1:xxxxxxxxxxxxxxxx 是管理社交用户池和认知用户池的用户身份池ID。

我已经浏览了许多此类博客,列出了信任权限和认知用户池,以了解上述问题,但是徒劳无功,如果有人能帮我解决上述问题,我将非常感激。

1 个答案:

答案 0 :(得分:2)

在您对 GetId 的调用中,您没有在登录地图中传递用户池用户的ID令牌。您需要在 GetIdRequest 上调用setLogins,并使用包含 cognito-idp.us-east-1.amazonaws.com/us-east-1_your_user_pool_id 的地图作为密钥,您的用户的 id token 将用户作为值

由于您尚未传递此登录映射,因此您获得的身份是未经身份验证的身份,并且您只允许在您的角色策略中使用经过身份验证的用户。

另请参阅:GetId API

相关问题
最新问题