验证服务器返回cognito_identityId和cognito_token.
然后我设置了一个Cookie:
> $.cookie(‘cognito_identityId’)
> $.cookie(‘cognito_token’)
我尝试在浏览器上以4种方式获取凭据,并且所有失败:
> CognitoIdentityCredentials
AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'us-east-1:xxxxxxxxxxxx' IdentityId: $.cookie('cognito_identityId'),Logins: { 'myauth': $.cookie('cognito_token') } });
// =>错误:在参数中缺少必需的键’IdentityId’
> assumeRoleWithWebIdentity
var params = { RoleArn: 'arn:aws:iam::xxxxxxxxxxxx:role/Cognito_xxxxxxxAuth_Role',RoleSessionName: 'xxxxxxxxxxx',WebIdentityToken: $.cookie('cognito_token'),DurationSeconds: 900,ProviderId: 'myauth' }; var sts = new AWS.STS({apiVersion: '2011-06-15'}); sts.assumeRoleWithWebIdentity(params,function(err,data) { if (err) console.log(err,err.stack); // an error occurred else console.log(data); // successful response });
// => AccessDenied:未授权执行sts:AssumeRoleWithWebIdentity
PolicyDocument
{ "Version": "2012-10-17","Statement": [ { "Sid": "","Effect": "Allow","Principal": { "Federated": "cognito-identity.amazonaws.com" },"Action": "sts:AssumeRoleWithWebIdentity","Condition": { "StringEquals": { "cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxxxxxxx" },"ForAnyValue:StringLike": { "cognito-identity.amazonaws.com:amr": "authenticated" } } } ] }
> GetCredentialsForIdentity
var params = { IdentityId: $.cookie('cognito_identityId'),Logins: { "myauth": $.cookie('oauth.io_token') } }; var cognitoidentity = new AWS.CognitoIdentity({apiVersion: '2014-06-30'}); cognitoidentity.getCredentialsForIdentity(params,data) { if (err) { console.log(err,err.stack); // an error occurred } else { console.log(data); // successful response } });
// => InvalidParameterException:请提供有效的公共提供者
> WebIdentityCredentials
AWS.config.credentials = new AWS.WebIdentityCredentials({ RoleArn: 'arn:aws:iam::xxxxxxxx:role/Cognito_xxxxxxxxxxAuth_Role',WebIdentityToken: $.cookie('cognito_token') });
// =>错误:有2个验证错误:
// * MissingrequiredParameter:在params中缺少必需的键’IdentityPoolId’
// * MissingrequiredParameter:在params中缺少必需的键’IdentityId’
问题:
>我做错了什么?
>使用它的正确方法是什么?
谢谢.
谢谢你的好意.
我提出了你的建议,但没有改变.
错误消息.
POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request) POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request) Error: Missing required key 'IdentityId' in params at fail (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:2163:37) at validateStructure (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:2084:14) at validateMember (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:2110:21) at validate (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:2059:10) at Request.VALIDATE_PARAMETERS (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:800:32) at Request.callListeners (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:3913:20) at callNextListener (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:3903:12) at chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:787:9 at finish (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:126:7) at chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:142:9
https://github.com/bisque33/my-custom-dictionary
和服务器端是AWS Lambda函数.
var aws = require('aws-sdk'); aws.config.region = 'us-east-1'; var cognitoidentity = new aws.CognitoIdentity(); var identityPoolId = 'us-east-1:0dccff0d-5fd7-4d14-b38f-d27204feaecc'; console.log('Loading function'); exports.handler = function(event,context) { console.log('token: %s',event.token); var params = { IdentityPoolId: identityPoolId,Logins: { 'oauth.io': event.token } }; cognitoidentity.getOpenIdTokenForDeveloperIdentity(params,data){ if(err){ console.log(err); context.fail('Something went wrong'); }else{ context.succeed(data); } }); };
此程序是Google-Chrome-Extension.
> AWS Lambda函数通过getOpenIdTokenForDeveloperIdentity返回标记.
> app / scripts / popup.js调用Lambda函数并设置cookie.
> app / scripts / background.js调用AWS.config.credentials.get,并返回错误.
我用错了吗?
更新附加信息
感谢您提供更多信息.
错误出现在background.js上的104行
AWS.config.credentials.get(function(){
和background.js上的115行
dataset.synchronize(
而且,我的解释还不够. Facebook身份验证需要域名(例如http:// example.com).但是,Google-Chrome-Ext没有域名.它有一个域’chrome-extension:// xxxxxxxxxxxxxxxxxxxx’.然后,我使用https://oauth.io.它代理任何身份验证并接受chrome-extension域.
Popup.js通过oauth.io sdk进行Facebook身份验证.它获取了一个facebook令牌,并提供给getOpenIdTokenForDeveloperIdentity.我认为facebook token.substr(0,14)是独一无二的.但是,如果它是错的,我使用另一个唯一标识符(例如电子邮件地址.)
对不起我错了. AWS.config.credentials.get给出错误:
Error: Invalid login token.
Error: Missing required key 'IdentityId' in params
解决方法
>使用Developer Authenticated Identities时,您需要在初始化CognitoIdentityCredentials时指定IdentityId.您需要从调用GetOpenIdTokenForDeveloperIdentity获取IdentityId值.但是,您不需要在Cookie中保留IdentityId值,因为CognitoIdentityCredentials将默认在浏览器的本地存储中缓存ID.
>至于您的登录地图:看起来您正在尝试使用Developer Authenticated Identities.使用JavaScript SDK,使用密钥’cognito-identity.amazonaws.com’并确保该值是从您的后端调用getOpenIdTokenForDeveloperIdentity返回的标记.
如果您仍然遇到使用CognitoIdentityCredentials方法的问题,请在此处回复一些更多信息,例如您在收到错误消息时正在调用的确切方法/代码,以及跟踪输出(即使用console.log(‘%o) ‘,..))在调用CognitoIdentityCredentials构造函数之前输入的params.
根据提供的附加信息进行更新
我仍然需要确切地知道您收到错误的代码行,但根据提供的信息,我认为我仍然可以帮助…
根据我在background.js中看到的内容,您似乎正在尝试使用Developer Authenticated Identities提供程序初始化CognitoIdentityCredentials.这是我猜你收到错误的地方.
但是,在Popup.js中,您似乎正在尝试使用Facebook对用户进行身份验证.如果您使用Facebook对用户进行身份验证,则应在使用Cognito时将facebook访问令牌传递到您的登录地图中.只需使用graph.facebook.com作为登录地图中的密钥和来自Facebook的访问令牌.有关如何执行此操作的更多详细信息,请参见Facebook Integration topic of the Amazon Cognito developer guide.
Facebook与开发人员认证身份
我们可以让Developer Authenticated Identities为您工作,但在这种情况下,它看起来不适合您,因为您实际上没有对Lambda函数中的标识进行任何额外的身份验证以及唯一的用户标识符你传递给getOpenIdTokenForDeveloperIdentity操作似乎是facebook令牌,这是不好的,因为令牌本身将在用户会话之间改变,即使对于同一个用户也是如此.通常,良好的唯一标识符是内部系统使用的电子邮件地址或用户ID.
由于您最终尝试使用Facebook登录而Amazon Cognito拥有built-in integration for Facebook,因此您最好的办法是从Facebook获取访问令牌并直接将Facebook令牌传递给Cognito的登录地图.我不确定这是否适用于Auth.io(我只是不熟悉它),但只要Auth.io为您的JavaScript代码提供一个bonefide facebook令牌并且您添加相同的Facebook App ID Auth.io和Amazon Cognito的控制台都应该可以使用.但是,您提到要使用Auth.io来避免Facebook重定向到登录页面.我可能会弄错,但我很确定如果您使用Facebook’s JavaScript SDK,则不需要重定向页面.如果您正在执行Facebook’s Manually Build a Login Flow,则只需要重定向页面.