我正在开发一个使用两个身份验证提供程序的应用程序:
对于前者,我没有任何问题,一切都按预期工作。但是,在使用Cognito用户池设置身份验证时,我正在接着一个墙。我使用的是AWS SDK 2.4.9,XCode 8和Swift 3。
我知道已经提出了很多问题,而且还有很多“指南”。但是,很多人都会回答/制作过时的文档和SDK。甚至官方AWS文档都已过时。
我正在进行的身份验证步骤如下:
1。配置初始认知池
/// Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: nil)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration
/// Create a pool configuration and register it for a specific key to use later
let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: appClientID, clientSecret: appClientSecret, poolId: poolID)
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPool(with: poolConfiguration, forKey: poolKey)
/// Create a pool for a specific predefined key
pool = AWSCognitoIdentityUserPool(forKey: poolKey)
2。根据Cognito用户池验证用户
user.getSession(username, password: password, validationData: nil).continue({ (task) -> AnyObject? in
if let error = task.error as? NSError {
completionHandler(error)
return nil
}
let session = task.result! as AWSCognitoIdentityUserSession
let token = session.idToken!.tokenString
let tokens : [NSString:NSString] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolID!)" as NSString : token as NSString]
let identityProvider = CognitoPoolIdentityProvider(tokens: tokens)
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .usEast1, identityPoolId: self.identityPoolID, identityProviderManager: identityProvider)
/// Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: credentialsProvider)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration
credentialsProvider.getIdentityId().continue({ (task) -> AnyObject? in
completionHandler(task.error as NSError?)
return nil
})
return nil
})
第3。 CognitoPoolIdentityProvider类
class CognitoPoolIdentityProvider : NSObject, AWSIdentityProviderManager {
var tokens : NSDictionary = [:]
init(tokens: [NSString : NSString]) {
self.tokens = tokens as NSDictionary
}
@objc func logins() -> AWSTask<NSDictionary> {
return AWSTask(result: tokens)
}
}
4。将数据存储到Cognito Federated Identity
所有这一切都没有任何错误。但是,现在我想将我从Cognito Pool提取的数据存储到特定的Cognito联合身份数据集中,因此我打电话给:userProfile.synchronize().continue
,我得到以下结果:
getCredentialsWithCognito:authenticated:customRoleArn:] _ block_invoke | GetCredentialsForIdentity失败。错误是[错误 Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8“(null)” UserInfo = {__ type = NotAuthorizedException,message = Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'被禁止。}]
2016-11-10 10:27:16.947365 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误] AWSIdentityProvider.m行:304 | __52- [AWSCognitoCredentialsProviderHelper getIdentityId] _block_invoke.255 | GetId失败了。错误是[错误 Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8“(null)” UserInfo = {__ type = NotAuthorizedException,message = Unauthenticated 此身份池不支持访问。}] 2016-11-10 10:27:16.947726 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]
AWSCredentialsProvider.m行:577 | __44- [AWSCognitoCredentialsProvider凭证] _block_invoke.352 |无法刷新。错误是[错误 Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8“(null)” UserInfo = {__ type = NotAuthorizedException,message = Unauthenticated 此身份池不支持访问。}] 2016-11-10 10:27:16.948452 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]
AWSCognitoDataset.m行:352 | __30- [AWSCognitoDataset syncPull:] _ block_invoke |无法列出记录:错误 Domain = com.amazonaws.AWSCognitoIdentityErrorDomain Code = 8“(null)” UserInfo = {__ type = NotAuthorizedException,message = Unauthenticated 此身份池不支持访问。} [10:27:16]: saveSettings AWS任务错误:无法完成操作。 (com.amazonaws.AWSCognitoIdentityErrorDomain错误8。)
更改日志级别后,我可以看到以下内容:
//请求
2016-11-10 10:33:08.095735 xxxxxxxx [19874:5616142] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:543 | - [AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] |请求正文:{“IdentityId”:“us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx”}
// RESPONSE
2016-11-10 10:33:08.714268 xxxxxxxx [19874:5616154] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m行:553 | - [AWSURLSessionManager printHTTPHeadersForResponse:] |响应头:{ Connection =“keep-alive”; “内容长度”= 129; “Content-Type”=“application / x-amz-json-1.1”; 日期=“星期四,2016年11月10日09:33:08 GMT”; “x-amzn-ErrorMessage”=“禁止访问身份'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx'。”; “x-amzn-ErrorType”=“NotAuthorizedException:”; “x-amzn-RequestId”=“b0ac6fb0-a728-11e6-8413-1fdb846185bb”; }
以上请求是GetID API调用。显然,它与AWS文档中的请求格式不匹配:http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html。
根据AWSServiceManager类,我们有:
/**
The default service configuration object. This property can be set only once, and any subsequent setters are ignored.
*/
@property (nonatomic, copy) AWSServiceConfiguration *defaultServiceConfiguration;
这意味着设置新服务配置毫无意义,但我认为没有其他方法可以刷新我通过Cognito用户池身份验证获得的凭据。
这就是它。有什么想法吗?
由于
答案 0 :(得分:1)
从你得到的错误看来
Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden
您在第一部分中获得的凭据无法访问您进行同步调用的身份,因此您的身份可能已更改。