英文:
result.getAccessToken().getJwtToken() not returning valid headers Authorization token
问题
我们使用了具有允许的Oauth 2.0 Implicit授权流的Cognito用户池,并希望我们基于JS的Web应用程序能够在请求授权标头的一部分中使用Cognito JWT令牌来调用具有API网关端点的lambda函数。
我们使用Postman进行身份验证测试,使用默认的Cognito托管UI输入用户名和密码,然后将成功登录URL中的access_token复制粘贴到Postman中。这运作正常。
然而,当我们使用下面的amazon-cognito-identity.min.js SDK函数进行身份验证(我们的应用程序使用jQuery而不是像React这样的框架)时,authenticateUser函数成功,但包含错误的JWT令牌的Cognito响应(将其复制粘贴到Postman中测试相同的lambda函数时,与托管UI一样成功)。
我们的JS代码如下:
var authentication_details = new AmazonCognitoIdentity.AuthenticationDetails({
Username: email,
Password: $('#password').val(),
});
var cognito_user = new AmazonCognitoIdentity.CognitoUser({
Username: email,
Pool: cognito_user_pool
});
cognito_user.authenticateUser(authentication_details, {
onSuccess: function (result) {
var jwt_token = result.getAccessToken().getJwtToken(); // 此令牌不起作用,且比Cognito托管UI生成的令牌长
....
result.getAccessToken().getJwtToken() 返回 "Unauthorized"。
我们在网上搜索,但找不到关于为什么从authenticateUser返回参数中获取令牌会不同的任何提示。
我们还使用result.getIdToken().getJwtToken()尝试了ID令牌,但它也不起作用。我们的错误在哪里?
SDK: amazon-cognito-identity.min.js
英文:
We setup a Cognito user pool with Oauth 2.0 Implicit Grant as allowed Oauth Flows and want our JS based web application to be able to call lambda functions (which have API Gateway endpoints) with the Cognito JWT token as part of the request Authorization headers.
We tested the authentication with Postman by using the default Cognito Hosted UI to enter username and password and then copy-pasting the access_token from the success login URL to Postman. This works fine.
However, when we authenticate using the amazon-cognito-identity.min.js SDK function below (our app uses jQuery and not a framework like React), then the authenticateUser function is successfull but with a Cognito response containing the wrong JWT token (the token doesn't work when we copy paste it into Postman for testing the same lambda function as we did successfully with the Hosted UI).
Our JS code looks as follows:
var authentication_details = new AmazonCognitoIdentity.AuthenticationDetails({
Username: email,
Password: $('#password').val(),
});
var cognito_user = new AmazonCognitoIdentity.CognitoUser({
Username: email,
Pool: cognito_user_pool
});
cognito_user.authenticateUser(authentication_details, {
onSuccess: function (result) {
var jwt_token = result.getAccessToken().getJwtToken(); // THIS TOKEN DOES NOT WORK AND IS LONGER THAN THE TOKEN GENERATED BY THE COGNITO HOSTED UI
....
result.getAccessToken().getJwtToken() return "Unauthorized".
We searched online but could not find any hints on why the token would be different when taken from the authenticateUser return parameter.
Also, we tested with the ID token using result.getIdToken().getJwtToken() but it doesn't work.
What is our mistake?
SDK: amazon-cognito-identity.min.js
答案1
得分: 0
Cognito SDK 默认使用作用域 aws.cognito.signin.user.admin,而 Hosted UI 使用作用域 openid profile email。
要使 authenticateUser 方法工作,您需要进行两个更改:
- 在 Cognito 用户池中允许 aws.cognito.signin.user.admin 作用域(在 OAuth 2.0 -> 允许的 OAuth 作用域下)。
- 将 aws.cognito.signin.user.admin 作用域添加到您的 Lambda 函数的 API Gateway 配置中(在方法执行 -> 设置 -> OAuth 作用域下)。然后重新部署 API。
更多详细信息可在此处找到:https://aws.amazon.com/premiumsupport/knowledge-center/cognito-custom-scopes-api-gateway/
英文:
The Cognito SDK uses the scope aws.cognito.signin.user.admin by default, while the Hosted UI uses the scopes openid profile email.
To make the authenticateUser method work, you would need to make two changes:
- Allow the scope aws.cognito.signin.user.admin in the Cognito user pool (under OAuth 2.0 -> Allowed Oauth Scopes)
- Add the scope aws.cognito.signin.user.admin to the API Gateway configuration of your lambda function (under method execution -> Settings -> OAuth Scopes. Then redeploy the API.
More details are available here: https://aws.amazon.com/premiumsupport/knowledge-center/cognito-custom-scopes-api-gateway/
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论