我一直在尝试使用aws-sdk-cpp创建用户登录。我本质上希望用户使用我的应用程序作为用户注册(将它们添加到cognito用户池 - 我有这个工作),然后登录。然后,此登录将为他们提供对帐户中特定存储桶的访问权限。我创建了一个策略,允许cognito用户使用下面的方式访问存储桶。
http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html
我在AWS控制台中创建了一个用户池和一个联合身份,并在用户池中启用了cognito作为身份提供者,所以我认为这一方都是正确的。
我尝试使用SDK将此身份验证放在一起,使用身份管理中的集成测试作为起点。
Aws::SDKOptions options;
Aws::InitAPI(options);
{
const Aws::String userPool_id = "eu-west-1_xxxxxxxxx";
const Aws::String client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxx";
const Aws::String region_id = "eu-west-1";
const Aws::String identityPool_id = "eu-west-1:xxxxxxxxxxxxxxxxx";
const Aws::String account_id = "xxxxxxxxxxxx";
Aws::Client::ClientConfiguration clientConfig;
clientConfig.region = region_id;
std::shared_ptr<CustomPersistentCognitoIdentityProvider> persistent_provider = std::make_shared<CustomPersistentCognitoIdentityProvider>();
persistent_provider->SetAccountId(account_id);
persistent_provider->SetIdentityPoolId(identityPool_id);
//Aws::Map<Aws::String, LoginAccessTokens> logins;
//LoginAccessTokens loginAccessTokens;
//loginAccessTokens.accessToken = LOGIN_ID;
//logins[LOGIN_KEY] = loginAccessTokens;
//persistent_provider->SetLogins("cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxxxxxx", client_id);
auto cognito_client = std::make_shared<Aws::CognitoIdentity::CognitoIdentityClient>(clientConfig);
Aws::CognitoIdentity::Model::GetIdRequest id_request;
id_request.SetAccountId(account_id);
id_request.SetIdentityPoolId(identityPool_id);
id_request.AddLogins("cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxxxxx", client_id);
id_request.AddLogins("USERNAME", "tester@xxxxxxxxx");
id_request.AddLogins("PASSWORD", "xxxxxxxxxxxxx");
cognito_client->GetId(id_request);
Aws::Auth::CognitoCachingAuthenticatedCredentialsProvider authenticated_provider(persistent_provider, cognito_client);
Aws::Auth::AWSCredentials credentials = authenticated_provider.GetAWSCredentials();
std::cout << "AccessKeyID : " << credentials.GetAWSAccessKeyId() << std::endl;
std::cout << "SecretKey : " << credentials.GetAWSSecretKey() << std::endl;
Aws::S3::S3Client s3_client(credentials, clientConfig);
S3ListObject(s3_client, "cloudtesting");
// do stuff with the s3 bucket
}
Aws::ShutdownAPI(options);
上面的代码返回访问键的空字符串。
在GetId调用返回时添加一些调试:
Request error: NotAuthorizedException Invalid login token. Not a valid OpenId Connect identity token.
我显然在这里或在设置中遗漏了一些东西。任何建议/帮助/代码示例将不胜感激!
答案 0 :(得分:1)
In order to authenticate with the Cognito User Pool, you have to use the CognitoIdentityProviderClient (see aws/cognito-idp/CognitoIdentityProviderClient.h). It uses the Secure Remote Password protocol (SRP) for authentication, which you unfortunately have to implement yourself. You first make a call to InitiateAuth, which then reply with some info to which you have to respond with RespondToAuthChallenge.
This is implemented in the Amazon Cognito Identity SDK for JavaScript创建ExternalLink,您可以将其用作参考。