如何通过API网关将AWS Cognito用户数据提供给Lambda,而不需要使用授权程序?

huangapple go评论67阅读模式
英文:

How to make AWS Cognito User Data available to Lambda via API Gateway, without an Authorizer?

问题

我有一个使用AWS Cognito(通过Amplify)进行用户登录的网站。API部署在一个单独的堆栈上,使用Serverless进行部署。

我正在尝试创建一个API端点,如果可用,可以访问当前登录用户的Cognito用户池数据(用户名、电子邮件)。到目前为止,我唯一能够实现这一点的方法是使用API Gateway通过Cognito用户池授权器。

示例:

functions:
  getMe:
    handler: /endpoints/myService.get
    events:
      - http:
          path: /myService
          method: GET
          cors: true
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: ${self:custom.apiGatewayAuthorizerId.${self:custom.stage}}

其中authorizerId设置为在AWS控制台的API Gateway授权器页面找到的6字符授权器ID。然而,这会阻止所有未经Cognito身份验证的流量。这不是我想要的,因为我有许多服务应该可以由匿名用户和已登录用户访问。我只想为已登录用户个性化数据。

是否有任何方法允许流量通过API Gateway并将Cognito用户参数传递给Lambda 如果它们可用

我能找到的关于Cognito + API Gateway + Lambda的所有资源都是关于限制访问到端点,而不是在请求中添加数据...

英文:

I have a website that uses AWS Cognito (via Amplify) for user login. The API is on a separate stack that deploys with Serverless.

I am trying to have an API endpoint that can access the current logged-in user's Cognito User Pool data (username, email) if it is available. The only way I've been able to achieve this is by using a cognito user pool authorizer via API Gateway.

Example:

functions:
  getMe:
    handler: /endpoints/myService.get
    events:
      - http:
          path: /myService
          method: GET
          cors: true
          authorizer:
            type: COGNITO_USER_POOLS
            authorizerId: ${self:custom.apiGatewayAuthorizerId.${self:custom.stage}}

Where authorizerId is set to the 6-character Authorizer ID found on the AWS Console's API Gateway Authorizers page. However, this blocks all traffic that is not authenticated with Cognito. That isn't what I want, since I have a number of services that should be accessible by both anonymous and logged-in users. I just want to personalize the data for users that are logged-in.

Is there any way to allow traffic and pass the cognito user parameters through the API Gateway to Lambda if they are available?

All resources I've been able to find regarding Cognito + API Gateway + Lambda are specifically about restricting access to endpoints and not layering on data to the requests...

答案1

得分: 1

根据上面的评论,您希望匿名用户和已登录用户通过相同的网关端点传递?

您仍然可以使用相同的设置,但从API网关中删除身份验证,并在您的应用程序中处理逻辑。

如果用户在已登录AWS Amplify的情况下尝试访问您的服务,AWS Amplify将通过Authorization标头将ID令牌发送到API网关,API网关将原样将此标头传递给应用程序。您需要在应用程序内部检查此Authorization标头并打开传递的ID令牌以查找用户声明/属性并执行您的逻辑。对于没有此令牌的任何其他用户,可以视为匿名。

您仍然需要验证请求中是否存在令牌,以确保它是有效的令牌,并在此之后提取声明/属性。

英文:

Based on comments above you want Anonymous and Logged-in users pass through same gateway end point ?

You can still use the same setup but remove the authentication from API Gateway and take the logic in your application.

If users try to access your services while being logged in AWS amplify will send through the Authorization header with Id token to API Gateway and API Gateway will pass this header as it is to the application. You will have to check inside your application for this Authorization header and crack open Id token passed to find the user claims/attributes and do your logic. For any other user that doesn't have this token can be considered anonymous.

You still need to Validate the token if you find one in request to make sure it's a valid token and extract claims/Attributes thereafter.

huangapple
  • 本文由 发表于 2020年1月7日 02:03:42
  • 转载请务必保留本文链接:https://go.coder-hub.com/59616844.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定