AWS Cognito外部用户池身份提供商(OIDC)

时间:2020-04-30 01:04:21

标签: amazon-cognito openid-connect federated-identity

我正在将Cognito App Client与外部提供商集成(Twitch) 用户身份验证工作正常,但是由于Cognito使用了来自身份验证服务器的代码,因此我不确定应如何发送带有令牌的Twitch请求,而我通常会从twitch中获得令牌,而Cognito不会使用此代码。我只有Cognito代码,可以在https:// {my-domain} / oauth2 / token请求中使用该代码来交换Cognito令牌。请求返回id_token,access_token和refresh_token,这些解码后的样子 ID令牌

{
  "at_hash": "yTNkeTAqzqcXCYi3yLL2Pw",
  "sub": "3cfba641-4058-475f-9818-17291175fd31",
  "cognito:groups": [
    "us-east-1_xxxxxxxxxxxx"
  ],
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
  "cognito:username": "xxxxxxxxxxxx",
  "preferred_username": "xxxxxxxxxxxx",
  "nonce": "SxxlipCDVbXbcXa1H7Uf9_nM0uOurAAObUVCyreBDDux99QoAngUoiGdE0me-0Zon6fEVLLTSqD4EN1Y6_lFm48MaoBaxyywZCQKOT70gfQEfkuhlsjImJd1ko3qH3QKdlmvWSPCUZoACPYNSgR364VPELyQTVMkRTCt9eYROag",
  "aud": "35l1cn53cnj9sv1ndu8u01amk0",
  "identities": [
    {
      "userId": "xxxxxxxxxxxx",
      "providerName": "xxxxxxxxxxxx",
      "providerType": "OIDC",
      "issuer": null,
      "primary": "true",
      "dateCreated": "1588191000072"
    }
  ],
  "token_use": "id",
  "auth_time": 1588191003,
  "exp": 1588194603,
  "iat": 1588191003
}

访问令牌

{
  "sub": "3cfba641-4058-475f-9818-17291175fd31",
  "cognito:groups": [
    "us-east-1_xxxxxxxxxxxx"
  ],
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin phone openid profile email",
  "auth_time": 1588191003,
  "iss": "https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxxxxx",
  "exp": 1588194603,
  "iat": 1588191003,
  "version": 2,
  "jti": "55863213-c764-4b07-a386-a9c93d14e4b2",
  "client_id": "xxxxxxxxxxxx",
  "username": "xxxxxxxxxxxx"
}

如何获取用户令牌以调用Twitch API(例如,具有授权用户令牌的GET https://api.twitch.tv/helix/users端点)

1 个答案:

答案 0 :(得分:1)

注意-如果操作不正确,则会向客户端公开敏感属性。

您需要创建两个版本的属性-customdev:custom,将oidc提供程序属性映射到custom的属性(看起来像dev:custom不可映射),然后在TokenGeneration_HostedAuth触发器中,您需要获取以下custom个属性,设置dev:custom个,然后删除custom个。

似乎有点调整,但是我看不到另一种方法来确保令牌安全。

解决方案是在用户池中创建自定义属性,然后将这些属性映射为身份提供者。看起来像:

'custom:refresh_token': refresh_token
'custom:id_token': id_token
'custom:access_token': access_token

Cloudformation模板:

用户池

....
Schema: [
    {
        AttributeDataType: 'String',
        DeveloperOnlyAttribute: true,
        Mutable: true,
        Name: 'refresh_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        DeveloperOnlyAttribute: true,
        Mutable: true,
        Name: 'access_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        DeveloperOnlyAttribute: true,
        Mutable: true,
        Name: 'id_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        Mutable: true,
        Name: 'refresh_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        Mutable: true,
        Name: 'access_token',
        Required: false,
    },
    {
        AttributeDataType: 'String',
        Mutable: true,
        Name: 'id_token',
        Required: false,
    },
],
....

用户池身份提供者

....
AttributeMapping: {
    'custom:refresh_token': 'refresh_token',
    'custom:access_token': 'access_token',
    'custom:id_token': 'id_token',
},
....
相关问题
最新问题