AWS Cognito在其自身域上设置Cookie,而不是目标域。

huangapple go评论52阅读模式
英文:

AWS Cognito sets cookie for its own domain, not the target's domain

问题

我已经设置了AWS Cognito来对通过CloudFront提供服务的网站进行身份验证。我可以将用户引导到Cognito中的登录页面,并显示注册/登录页面。然而,Cognito会为其域设置一个cookie,而不是网站的域。因此,在后续请求中,cookie不会被发送回网站。我的域名类似于这样。

mywebsite.com = Cloudfront分发
auth.mywebsite.com = Cognito自定义域

我的cookie是针对auth.mywebsite.com的,这对于父域是无效的。我认为我不能在CloudFront中将auth.mywebsite.com用作备用域,因为该域已分配为我的自定义Cognito域。无论如何,我不确定这应该如何工作。

英文:

I have set up AWS Cognito to authenticate a website served through CloudFront. I can direct users to the login and get the sign-in/sign-up pages in Cognito to appear. However, Cognito sets a cookie for its domain, not the website's domain. Therefore the cookie is not sent back to the website on subsequent requests. My domains are similar to this.

mywebsite.com = Cloudfront distribution
auth.mywebsite.com = Cognito custom domain 

My cookie is for auth.mywebsite.com, which is invalid for the parent domain. I don't think I can use auth.mywebsite.com as an alternate domain in Cloudfront because that domain is assigned as my custom Cognito domain. I'm not sure how this is supposed to work in any case.

答案1

得分: 1

以下是您要翻译的内容:

You cannot use the cookie generated by Cognito Hosted UI.

Flow is
Initial user action => www.my-domain.com
Cloudfront Lambda Viewer Request checks auth (not authenticated) 302 redirect to Cognito Hosted UI Signin/Signup page www.auth.my-domain.com/login?client_id=${CLIENT_ID}&response_type=(code or token)&scope=${SCOPE}&redirect_uri=${REDIRECT_URI}

user authenticates with Cognito Hosted UI.

Cognito 302 redirects with either tokens or code depending on your configuration. Let's assume auth code flow. Cognito returns to your redirect www.my-domain.com/my-login/?code=123authcodeflow

Now, there are several ways to use the CODE in the url.

  1. Your app should load from say an S3 bucket, So use app to grab code from url, set a page spinner and then call Cognito token route to get refresh, id, and access tokens.

https://auth.my-domain.com/oauth2/token?grant_type=authorization_code&code=${code}&client_id=${client_id}&redirect_uri=${REDIRECT_URI} NOTE: same redirect_uri as before.

You'll now have all your tokens.

  1. handle Cognito redirect in your cloudfront origin request to get the tokens as above, then send them back to your client as payload or a cookie that is created by you.

excellent article here: https://cloudonaut.io/authentication-at-the-edge-with-lambda-edge-cognito/

UPDATE

I was looking for a way to leverage CloudFront and Lambda@Edge functions to authenticate user via Cognito Hosted UI.

Found this LIB by AWS LABS and it works perfect with Cookie Auth.

https://github.com/awslabs/aws-jwt-verify

You can also copy the code and put it in your Lambda Index file and change anything you need to get different cookie names.

Works with just a Lambda@Edge Viewer request.

If you are also using AWS Gateway, you'll have to create another lambda that uses this LIB as well with a simple if/else like this one.

import { CognitoJwtVerifier } from 'aws-jwt-verify';

import { parseCookies } from './utilities/parse-cookie.mjs';

const verifier = CognitoJwtVerifier.create({
userPoolId: process.env.COGNITO_POOL_ID,
tokenUse: "access",
clientId: process.env.COGNITO_CLIENT_ID
});

const TOKEN_NAME = process.env.COGNITO_TOKEN_NAME;

export const handler = async (event) =>
{
if (event.cookies === null)
{
return {
isAuthorized: false,
};
}

const TOKEN = parseCookies(event.cookies, TOKEN_NAME);

if (TOKEN === null)
{
return {
isAuthorized: false,
};
}

try
{
await verifier.verify(TOKEN);

return {
  isAuthorized: true,
};

}
catch(e)
{
return {
isAuthorized: false,
};
}
};

英文:

> You cannot use the cookie generated by Cognito Hosted UI.

Flow is
Initial user action => www.my-domain.com
Cloudfront Lambda Viewer Request checks auth (not authenticated) 302 redirect to Cognito Hosted UI Signin/Signup page www.auth.my-domain.com/login?client_id=${CLIENT_ID}&response_type=(code or token)&scope=${SCOPE}&redirect_uri=${REDIRECT_URI}

user authenticates with Cognito Hosted UI.

Cognito 302 redirects with either tokens or code depending on your configuration. Let's assume auth code flow. Cognito returns to your redirect
www.my-domain.com/my-login/?code=123authcodeflow

Now, there are several ways to use the CODE in the url.

  1. Your app should load from say an S3 bucket, So use app to grab code from url, set a page spinner and then call Cognito token route to get refresh, id, and access tokens.

https://auth.my-domain.com/oauth2/token?grant_type=authorization_code&code=${code}&client_id=${client_id}&redirect_uri=${REDIRECT_URI} NOTE: same redirect_uri as before.

You'll now have all your tokens.

  1. handle Cognito redirect in your cloudfront origin request to get the tokens as above, then send them back to your client as payload or a cookie that is created by you.

excellent article here: https://cloudonaut.io/authentication-at-the-edge-with-lambda-edge-cognito/

UPDATE

I was looking for a way to leverage CloudFront and Lambda@Edge functions to authenticate user via Cognito Hosted UI.

Found this LIB by AWS LABS and it works perfect with Cookie Auth.

https://github.com/awslabs/aws-jwt-verify

You can also copy the code and put it in your Lambda Index file and change anything you need to get different cookie names.

Works with just a Lambda@Edge Viewer request.

If you are also using AWS Gateway, you'll have to create another lambda that uses this LIB as well with a simple if/else like
this one.

import { CognitoJwtVerifier } from 'aws-jwt-verify';

import { parseCookies } from './utilities/parse-cookie.mjs';

const verifier = CognitoJwtVerifier.create({
  userPoolId: process.env.COGNITO_POOL_ID,
  tokenUse: "access",
  clientId: process.env.COGNITO_CLIENT_ID
});

const TOKEN_NAME = process.env.COGNITO_TOKEN_NAME;

export const handler = async (event) =>
{
  if (event.cookies === null)
  {
    return {
      isAuthorized: false,
    };
  }

  const TOKEN = parseCookies(event.cookies, TOKEN_NAME);

  if (TOKEN === null)
  {
    return {
      isAuthorized: false,
    };
  }

  try
  {
    await verifier.verify(TOKEN);

    return {
      isAuthorized: true,
    };
  }
  catch(e)
  {
    return {
      isAuthorized: false,
    };
  }
};

huangapple
  • 本文由 发表于 2023年5月29日 20:44:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/76357505.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定