我有一个静态的无服务器网站,该网站允许使用AWS Cognito User Pool进行Java身份验证。
现在,我正在尝试启用一些编程访问方式,因此我需要通过Python脚本执行相同的身份验证。这可能吗?该文档未为Python提供任何code examples。
我只是想为Python寻找一种针对AWS URL发出GET或POST请求的方法,向其传递用户名和登录名,然后返回signed cookies验证身份。
我找到的最接近的示例是this code,它引用了cognito-idp API。我已经修改为:
import boto3
client_id = '<my_app_client_id>'
region_name = 'us-east-1'
auth_data = { 'USERNAME':'myusername' , 'PASSWORD':'mypassword' }
provider_client = boto3.client('cognito-idp', region_name=region_name)
resp = provider_client.initiate_auth(AuthFlow='USER_PASSWORD_AUTH', AuthParameters=auth_data, ClientId=client_id)
print('resp:', resp)
但是,即使我使用与通过Javascript API相同的凭据,也无法通过身份验证并仅返回错误:
botocore.exceptions.NoCredentialsError: Unable to locate credentials
这与Javascript Cognito API是否等效于Python?
答案 0 :(得分:0)
以下代码片段显示了使用boto3使用Cognito进行身份验证的完整工作流程。
def get_secret_hash(username):
msg = username + CLIENT_ID
dig = hmac.new(
str(CLIENT_SECRET).encode('utf-8'),
msg=str(msg).encode('utf-8'),
digestmod=hashlib.sha256
).digest()
d2 = base64.b64encode(dig).decode()
return d2
def initiate_auth(client, username, password):
secret_hash = get_secret_hash(username)
try:
resp = client.admin_initiate_auth(
UserPoolId=USER_POOL_ID,
ClientId=CLIENT_ID,
AuthFlow='ADMIN_NO_SRP_AUTH',
AuthParameters={
'USERNAME': username,
'SECRET_HASH': secret_hash,
'PASSWORD': password,
},
ClientMetadata={
'username': username,
'password': password, })
except client.exceptions.NotAuthorizedException:
return None, "The username or password is incorrect"
except client.exceptions.UserNotConfirmedException:
return None, "User is not confirmed"
except Exception as e:
return None, e.__str__()
return resp, None
@app.route('/auth/login', methods=['POST'])
def login():
event = auth.current_request.json_body
client = boto3.client('cognito-idp')
username = event['username']
password = event['password']
for field in ["username", "password"]:
if event.get(field) is None:
return {"error": True,
"success": False,
"message": f"{field} is required",
"data": None}
resp, msg = initiate_auth(client, username, password)
if msg != None:
return {'message': msg,
"error": True, "success": False, "data": None}
if resp.get("AuthenticationResult"):
return {'message': "success",
"error": False,
"success": True,
"data": {
"id_token": resp["AuthenticationResult"]["IdToken"],
"refresh_token": resp["AuthenticationResult"]["RefreshToken"],
"access_token": resp["AuthenticationResult"]["AccessToken"],
"expires_in": resp["AuthenticationResult"]["ExpiresIn"],
"token_type": resp["AuthenticationResult"]["TokenType"]
}}
else: # this code block is relevant only when MFA is enabled
return {"error": True,
"success": False,
"data": None, "message": None}
这是从函数中解析的重要部分。
resp = client.admin_initiate_auth(
UserPoolId=USER_POOL_ID,
ClientId=CLIENT_ID,
AuthFlow='ADMIN_NO_SRP_AUTH',
AuthParameters={
'USERNAME': username,
'SECRET_HASH': secret_hash,
'PASSWORD': password,
},
ClientMetadata={
'username': username,
'password': password, })
示例取自一个由四部分组成的教程,不幸的是,这些教程并没有帮助我将其与Chalice CognitoUserPoolAuthorizer集成在一起,但看起来效果很好。如果找不到更好的代码示例,请参见以下教程。
答案 1 :(得分:-1)
像这样将访问和密钥传递给boto3。
provider_client = boto3.client('cognito-idp', region_name=region_name, aws_access_key_id=AWS_ACCESS_KEY_ID,
aws_secret_access_key=AWS_SECRET_ACCESS_KEY)