AWS:如何根据Cognito Pool正确验证用户身份并将其用于Cognito Federated Identity?

时间:2016-11-10 09:43:19

标签: ios swift amazon-web-services federated-identity

我正在开发一个使用两个身份验证提供程序的应用程序:

  • Cognito用户池

对于前者,我没有任何问题,一切都按预期工作。但是,在使用Cognito用户池设置身份验证时,我正在接着一个墙。我使用的是AWS SDK 2.4.9,XCode 8和Swift 3。

我知道已经提出了很多问题,而且还有很多“指南”。但是,很多人都会回答/制作过时的文档和SDK。甚至官方AWS文档都已过时。

我正在进行的身份验证步骤如下:

1。配置初始认知池

///  Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: nil)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration

/// Create a pool configuration and register it for a specific key to use later
let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: appClientID, clientSecret: appClientSecret, poolId: poolID)  
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPool(with: poolConfiguration, forKey: poolKey)

/// Create a pool for a specific predefined key
pool = AWSCognitoIdentityUserPool(forKey: poolKey)

2。根据Cognito用户池验证用户

  user.getSession(username, password: password, validationData: nil).continue({ (task) -> AnyObject? in

        if let error = task.error as? NSError {
            completionHandler(error)
            return nil
        }

        let session = task.result! as AWSCognitoIdentityUserSession
        let token = session.idToken!.tokenString

        let tokens : [NSString:NSString] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolID!)" as NSString : token as NSString]
        let identityProvider = CognitoPoolIdentityProvider(tokens: tokens)

        let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .usEast1, identityPoolId: self.identityPoolID, identityProviderManager: identityProvider)

        ///  Set the default service configuration
        let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: credentialsProvider)
        AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration

        credentialsProvider.getIdentityId().continue({ (task) -> AnyObject? in
            completionHandler(task.error as NSError?)
            return nil
        })

        return nil
    })

第3。 CognitoPoolIdentityProvider类

    class CognitoPoolIdentityProvider : NSObject, AWSIdentityProviderManager {

      var tokens : NSDictionary = [:]

      init(tokens: [NSString : NSString]) {
           self.tokens = tokens as NSDictionary
      }

      @objc func logins() -> AWSTask<NSDictionary> {
           return AWSTask(result: tokens)
      }

    }

4。将数据存储到Cognito Federated Identity

所有这一切都没有任何错误。但是,现在我想将我从Cognito Pool提取的数据存储到特定的Cognito联合身份数据集中,因此我打电话给:userProfile.synchronize().continue,我得到以下结果:

  

getCredentialsWithCognito:authenticated:customRoleArn:] _ block_invoke |   GetCredentialsForIdentity失败。错误是[错误   Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8“(null)”   UserInfo = {__ type = NotAuthorizedException,message = Access to Identity   'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'被禁止。}]

     

2016-11-10 10:27:16.947365 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11   [错误] AWSIdentityProvider.m行:304 |   __52- [AWSCognitoCredentialsProviderHelper getIdentityId] _block_invoke.255 | GetId失败了。错误是[错误   Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8“(null)”   UserInfo = {__ type = NotAuthorizedException,message = Unauthenticated   此身份池不支持访问。}] 2016-11-10   10:27:16.947726 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]

     

AWSCredentialsProvider.m行:577 |   __44- [AWSCognitoCredentialsProvider凭证] _block_invoke.352 |无法刷新。错误是[错误   Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8“(null)”   UserInfo = {__ type = NotAuthorizedException,message = Unauthenticated   此身份池不支持访问。}] 2016-11-10   10:27:16.948452 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]

     

AWSCognitoDataset.m行:352 | __30- [AWSCognitoDataset   syncPull:] _ block_invoke |无法列出记录:错误   Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8“(null)”   UserInfo = {__ type = NotAuthorizedException,message = Unauthenticated   此身份池不支持访问。} [10:27:16]:   saveSettings AWS任务错误:无法完成操作。   (com.amazonaws.AWSCognitoIdentityErrorDomain错误8。)

更改日志级别后,我可以看到以下内容:

  

//请求

     

2016-11-10 10:33:08.095735 xxxxxxxx [19874:5616142] AWSiOSSDK   v2.4.11 [Debug] AWSURLSessionManager.m行:543 |    - [AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] |请求正文:{“IdentityId”:“us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx”}

     

// RESPONSE

     

2016-11-10 10:33:08.714268 xxxxxxxx [19874:5616154]   AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:553 |    - [AWSURLSessionManager printHTTPHeadersForResponse:] |响应头:{       Connection =“keep-alive”;       “内容长度”= 129;       “Content-Type”=“application / x-amz-json-1.1”;       日期=“星期四,2016年11月10日09:33:08 GMT”;       “x-amzn-ErrorMessage”=“禁止访问身份'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx'。”;       “x-amzn-ErrorType”=“NotAuthorizedException:”;       “x-amzn-RequestId”=“b0ac6fb0-a728-11e6-8413-1fdb846185bb”; }

以上请求是GetID API调用。显然,它与AWS文档中的请求格式不匹配:http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html

根据AWSServiceManager类,我们有:

/**
 The default service configuration object. This property can be set only once, and any subsequent setters are ignored.
 */
@property (nonatomic, copy) AWSServiceConfiguration *defaultServiceConfiguration;

这意味着设置新服务配置毫无意义,但我认为没有其他方法可以刷新我通过Cognito用户池身份验证获得的凭据。

这就是它。有什么想法吗?

由于

1 个答案:

答案 0 :(得分:1)

从你得到的错误看来

  Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden

您在第一部分中获得的凭据无法访问您进行同步调用的身份,因此您的身份可能已更改。