AWS:如何针对Cognito Pool正确认证用户并将其用于Cognito联合身份认证?
我上的应用程序,它会使用两个认证提供商合作:AWS:如何针对Cognito Pool正确认证用户并将其用于Cognito联合身份认证?
- Facebook的
- Cognito用户群
对于前者,我觉得没有问题,按预期一切正常。但是,在使用Cognito用户池设置身份验证的同时,我又一次击中了一面墙。我正在使用AWS软件开发工具包2.4.9,XCode 8和Swift 3.
我知道有很多问题已经被问及很多“指南”在那里。但是,他们中的很多人都回答了过时的文档和SDK。即使官方AWS文档已过时。
,我要通过认证步骤如下:
1.配置初始cognito池
/// Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: nil)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration
/// Create a pool configuration and register it for a specific key to use later
let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: appClientID, clientSecret: appClientSecret, poolId: poolID)
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPool(with: poolConfiguration, forKey: poolKey)
/// Create a pool for a specific predefined key
pool = AWSCognitoIdentityUserPool(forKey: poolKey)
2.验证对Cognito用户池的用户
user.getSession(username, password: password, validationData: nil).continue({ (task) -> AnyObject? in
if let error = task.error as? NSError {
completionHandler(error)
return nil
}
let session = task.result! as AWSCognitoIdentityUserSession
let token = session.idToken!.tokenString
let tokens : [NSString:NSString] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolID!)" as NSString : token as NSString]
let identityProvider = CognitoPoolIdentityProvider(tokens: tokens)
let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .usEast1, identityPoolId: self.identityPoolID, identityProviderManager: identityProvider)
/// Set the default service configuration
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: credentialsProvider)
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration
credentialsProvider.getIdentityId().continue({ (task) -> AnyObject? in
completionHandler(task.error as NSError?)
return nil
})
return nil
})
3. CognitoPoolIden tityProvider类
class CognitoPoolIdentityProvider : NSObject, AWSIdentityProviderManager {
var tokens : NSDictionary = [:]
init(tokens: [NSString : NSString]) {
self.tokens = tokens as NSDictionary
}
@objc func logins() -> AWSTask<NSDictionary> {
return AWSTask(result: tokens)
}
}
4.将数据存储到Cognito联合身份
所有这一切都通过没有任何错误。不过,现在我想保存我从Cognito池中取出一个特定的Cognito联合身份数据集的数据,所以我打电话:userProfile.synchronize().continue
和我得到的结果如下:
getCredentialsWithCognito:authenticated:customRoleArn:]_block_invoke | GetCredentialsForIdentity failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden.}]
2016-11-10 10:27:16.947365 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error] AWSIdentityProvider.m line:304 | __52-[AWSCognitoCredentialsProviderHelper getIdentityId]_block_invoke.255 | GetId failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.}] 2016-11-10 10:27:16.947726 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error]
AWSCredentialsProvider.m line:577 | __44-[AWSCognitoCredentialsProvider credentials]_block_invoke.352 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.}] 2016-11-10 10:27:16.948452 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error]
AWSCognitoDataset.m line:352 | __30-[AWSCognitoDataset syncPull:]_block_invoke | Unable to list records: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.} [10:27:16]: saveSettings AWS task error: The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)
更改日志级别后,我可以看到以下内容:
//REQUEST
2016-11-10 10:33:08.095735 xxxxxxxx[19874:5616142] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m line:543 | -[AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] | Request body: {"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}
//RESPONSE
2016-11-10 10:33:08.714268 xxxxxxxx[19874:5616154] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m line:553 | -[AWSURLSessionManager printHTTPHeadersForResponse:] | Response headers: { Connection = "keep-alive"; "Content-Length" = 129; "Content-Type" = "application/x-amz-json-1.1"; Date = "Thu, 10 Nov 2016 09:33:08 GMT"; "x-amzn-ErrorMessage" = "Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden."; "x-amzn-ErrorType" = "NotAuthorizedException:"; "x-amzn-RequestId" = "b0ac6fb0-a728-11e6-8413-1fdb846185bb"; }
上述请求是GetID API调用。显然,它与AWS Docs:http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html中的请求格式不匹配。
按照AWSServiceManager类,我们有这样的:
/**
The default service configuration object. This property can be set only once, and any subsequent setters are ignored.
*/
@property (nonatomic, copy) AWSServiceConfiguration *defaultServiceConfiguration;
这意味着,设置新的服务配置是没有意义的,但我看不出有什么其他的方式来刷新,我已经通过Cognito用户群中获得的证书认证。
就是这样。有任何想法吗?
感谢
它从你得到
Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden
,您在第一部分所获得的无法访问的身份凭证所做的同步调用,带这样你的身份很可能改变错误似乎。
你能提供更多的粒度吗?我收到类似的错误 – mm24
此用户来自哪里?你能提到用户类型 –