Firebase作为Cognito / AWS的身份提供商

时间:2017-11-10 17:39:06

标签: amazon-web-services firebase-authentication aws-sdk amazon-cognito amazon-iam

我很难将Firebase用作Open ID Connect提供商。 能否请您进一步描述您在完成这项工作之前和之后所经历的步骤?

有关信息,这是我到目前为止所做的: 在AWS控制台中:

1 - 创建IAM身份提供商(OpenID Connect)并使用securetoken.google.com/<FIREBASE_PROJECT_ID>作为网址,<FIREBASE_PROJECT_ID>用于受众

2 - 手动检查指纹(它与AWS生成的指纹匹配)

3 - 创建具有访问所需服务的权限的角色

4 - 在Cognito中创建了一个标识池,并在“已验证的角色”中选择了我新创建的角色。下拉

5 - 在身份验证提供商下选择我的身份提供商&gt; OpenID类别(格式因此):securetoken.google.com/<FIREBASE_PROJECT_ID>

在我的代码中(我使用的是Vue.js),这是我经历的逻辑步骤:

  • 导入/设置AWS开发工具包

  • 调用Firebase身份验证服务

  • 创建新的CognitoIdentity
  • 使用getOpenIdTokenForDeveloperIdentity并推送从Firebase收到的tokenID

问题是我一直在&#34;在配置中缺少凭据&#34;错误。

代码:

import axios from 'axios';
const AWS = require('aws-sdk');

AWS.config.region = 'eu-west-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
  IdentityPoolId: 'MY_COGNITO_POOL_ID',
});

export default {
  name: 'My Vue.js component name',
  data() {
    return {
      email: '',
      password: '',
      msg: '',
    };
  },
  methods: {
    submit() {
      axios
        .post(
          'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=MY_KEY',
        {
          email: this.email,
          password: password,
          returnSecureToken: true,
        },
        )
        .then((res) => {
         // stores tokens locally
          localStorage.setItem('jwt', JSON.stringify(res.data));
          const cognitoidentity = new AWS.CognitoIdentity();
          const params = {
            IdentityPoolId: 'MY_COGNITO_POOL_ID',
            Logins: {
              'securetoken.google.com/<PROJECT_ID>': res.data.idToken,
            },
            IdentityId: null,
            TokenDuration: 3600,
          };
          cognitoidentity.getOpenIdTokenForDeveloperIdentity(params, (err, data) => {
            if (err) console.log(err, err.stack); // an error occurred
            else console.log(data);           // successful response
          });
        });
    },
  },
};

以下是我在尝试完成这项工作时使用的资源:

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

Using Firebase OpenID Connect provider as AWS IAM Identity Provider

https://github.com/aws/amazon-cognito-identity-js/blob/master/examples/babel-webpack/src/main.jsx

http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetCredentialsForIdentity.html

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication/

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-2-developer-authenticated-identities/

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-3-roles-and-policies/

https://aws.amazon.com/blogs/mobile/understanding-amazon-cognito-authentication-part-4-enhanced-flow/

2 个答案:

答案 0 :(得分:1)

  • 尝试设置登录地图,即CognitoIdentityCredentials对象中的firebase令牌。请参阅this doc。

    AWS.config.credentials = new AWS.CognitoIdentityCredentials({
          IdentityPoolId: 'MY_COGNITO_POOL_ID',
          Logins: {
            'securetoken.google.com/': 
          }
    });
  • 在初始化Cognito客户端之前,尝试在凭据对象上调用get方法。您也可以使用getCredentials代替。
  • 如果上述步骤不起作用&amp;他们应该在初始化Cognito客户端时将凭据作为选项传递。有关使用CognitoIdentity构造函数的可用选项,请参阅this doc。

    const cognitoidentity = new AWS.CognitoIdentity({credentials: AWS.config.credentials});
  • 如果仍然收到错误,请在调用get()方法后尝试在控制台中记录凭据对象。理想情况下,它应该有临时凭证(accessKey,secretKey&amp; sessionToken)

答案 1 :(得分:0)

最终代码,如果这对任何人都有帮助:

import axios from 'axios';

const AWS = require('aws-sdk');
const aws4 = require('aws4');

export default {
  name: 'VUE_CPNT_NAME',
  data() {
    return {
      email: '',
      password: '',
      msg: '',
      idToken: '',
    };
  },
  methods: {
    submit() {
      // Firebase SignIn API
      // Doc: https://firebase.google.com/docs/reference/rest/auth/
      axios
        .post(
          'https://www.googleapis.com/identitytoolkit/v3/relyingparty/verifyPassword?key=[MY_KEY]',
        {
          email: this.email,
          password: this.password,
          returnSecureToken: true,
        },
        )
        .then((res) => {
          this.idToken = res.data.idToken;
          localStorage.setItem('jwt', JSON.stringify(res.data));
          AWS.config.credentials = new AWS.CognitoIdentityCredentials({
            IdentityPoolId: 'IDENTITY_POOL_ID',
            Logins: {
              'securetoken.google.com/<FIREBASE_PROJECT_ID>': res.data.idToken,
            },
          }, {
            region: 'eu-west-1',
          });
          // AWS.config.crendentials.get() methods works as well
          // or a call to cognitoidentity.getId() followed by a call to getCredentialsForIdentity() 
          // will achieve the same thing. Cool. But why!?
          AWS.config.getCredentials((err) => {
            if (err) {
              console.log(err);
            }
            const request = {
              host: 'API_GATEWAY_ENDPOINT.eu-west-1.amazonaws.com',
              method: 'GET',
              url: 'https://API_GATEWAY_ENDPOINT.eu-west-1.amazonaws.com/PATH',
              path: '/API_ENDPOINT_PATH',
            };
            // Signing the requests to API Gateway when the Authorization is set AWS_IAM.
            // Not required when Cognito User Pools are used
            const signedRequest = aws4.sign(request,
              {
                secretAccessKey: AWS.config.credentials.secretAccessKey,
                accessKeyId: AWS.config.credentials.accessKeyId,
                sessionToken: AWS.config.credentials.sessionToken,
              });
            // removing the Host header to avoid errors in Chrome
            delete signedRequest.headers.Host;
            axios(signedRequest);
          });
        });
    },
  },
};