我正在使用AWS签名版本4。现在,我担心的是,我在Amazon api网关上收到来自api请求的签名,并且网关对请求进行了身份验证和身份验证,然后转发给php微服务。现在,我想从请求标头中的签名中检测用户。我该如何解决这个问题。
下面是我通过生成AWS签名生成的工作代码
public function generateAWSToken($uid) {
try {
$method = 'GET';
$uri = '/dev';
$json = file_get_contents('php://input');
$obj = json_decode($json);
if (isset($obj->method)) {
$m = explode("|", $obj->method);
$method = $m[0];
$uri .= $m[1];
}
$secretKey = env('AWS_SECRET_ACCESS_KEY');
$access_key = env('AKIAJR2JSY655JXI5LIA');
$token = env('AWS_SECRET_ACCESS_KEY');
$region = env('AWS_DEFAULT_REGIO');
$service = 'execute-api';
$options = array();
$headers = array();
$host = "YOUR-API-HOST.execute-api.ap-southeast-1.amazonaws.com";
//Or you can define your host here.. I am using API gateway.
$alg = 'sha256';
$date = new \DateTime('UTC');
$dd = $date->format('Ymd\THis\Z');
$amzdate2 = new \DateTime('UTC');
$amzdate2 = $amzdate2->format('Ymd');
$amzdate = $dd;
$algorithm = 'AWS4-HMAC-SHA256';
// $parameters = (array) $obj->data;
if (isset($obj->data) && ($obj->data == null || empty($obj->data))) {
$obj->data = "";
} else {
$param = "";
// $param = json_encode($obj->data);
// if ($param == "{}") {
// $param = "";
// }
$requestPayload = strtolower($param);
$hashedPayload = hash($alg, $uid);
$canonical_uri = $uri;
$canonical_querystring = '';
$canonical_headers = "content-type:" . "application/json" . "\n" . "host:" . $host . "\n" . "x-amz-date:" . $amzdate . "\n" . "x-amz-security-token:" . $token . "\n";
$signed_headers = 'content-type;host;x-amz-date;x-amz-security-token';
$canonical_request = "" . $method . "\n" . $canonical_uri . "\n" . $canonical_querystring . "\n" . $canonical_headers . "\n" . $signed_headers . "\n" . $hashedPayload;
$credential_scope = $amzdate2 . '/' . $region . '/' . $service . '/' . 'aws4_request';
$string_to_sign = "" . $algorithm . "\n" . $amzdate . "\n" . $credential_scope . "\n" . hash('sha256', $canonical_request) . "";
//string_to_sign is the answer..hash('sha256', $canonical_request)//
$kSecret = 'AWS4' . $secretKey;
$kDate = hash_hmac($alg, $amzdate2, $kSecret, true);
$kRegion = hash_hmac($alg, $region, $kDate, true);
$kService = hash_hmac($alg, $service, $kRegion, true);
$kSigning = hash_hmac($alg, 'aws4_request', $kService, true);
$signature = hash_hmac($alg, $string_to_sign, $kSigning);
$authorization_header = $algorithm . ' ' . 'Credential=' . $access_key . '/' . $credential_scope . ', ' . 'SignedHeaders=' . $signed_headers . ', ' . 'Signature=' . $signature;
$headers = [
'content-type' => 'application/json',
'x-amz-security-token' => $token,
'x-amz-date' => $amzdate,
'Authorization' => $authorization_header];
return $signature;
}
} catch (\Exception $ex) {
return false;
}
}
建议任何有用的链接和方法。
答案 0 :(得分:0)
您如何生成AKS + AKI +令牌?如果您使用的是Cognito池和身份联盟,这应该会有所帮助。这对我有帮助
how to user identity id to link to cognito user pool
PS:这可能是复制粘贴错误,但是令牌肯定不是$token = env('AWS_SECRET_ACCESS_KEY');