Cognito 用户池中的 SMS MFA 状态是通过调用 setPreferredMFA 设置的还是其他?
Is SMS MFA Status in Cognito user pools set by calling setPreferredMFA or is that something else?
使用 setPreferredMFA 时,即使设置了 setPreferredMFA,Cognito 用户池中的 SMS MFA 状态也会被禁用。
SMS MFA 状态代表什么,当我启用或禁用它时它有什么作用?
谢谢
这只不过是 AWS console/API 响应中的不一致。例子:
让我们为用户启用 SMS MFA:
aws cognito-idp set-user-mfa-preference --sms-mfa-settings Enabled=true,PreferredMfa=true --access-token <value>
是的,在控制台中它看起来仍然没有启用 SMS MFA。但是这是错误的。让我们获取用户的数据:
aws cognito-idp get-user --access-token <value>
{
"Username": "your-email@example.com",
"UserAttributes": [
{
"Name": "sub",
"Value": "491a3eba-381f-4c87-a7d6-befa21e49e82"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "phone_number_verified",
"Value": "true"
},
{
"Name": "phone_number",
"Value": "+1234567890"
},
{
"Name": "email",
"Value": "your-email@example.com"
}
],
"PreferredMfaSetting": "SMS_MFA",
"UserMFASettingList": [
"SMS_MFA"
]
}
你要看的是PreferredMfaSetting属性。它会告诉您用户为 himself/herself.
选择了什么
如果您现在尝试像这样进行身份验证:
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id <value> --auth-parameters USERNAME=<value>,PASSWORD=<value>
您将收到这样的回复:
{
"ChallengeName": "SMS_MFA",
"Session": "<session-value>",
"ChallengeParameters": {
"CODE_DELIVERY_DELIVERY_MEDIUM": "SMS",
"CODE_DELIVERY_DESTINATION": "+*********7890",
"USER_ID_FOR_SRP": "your-email@example.com"
}
}
好的,控制台中的这个东西在做什么?它实际上已被弃用。在此处查看 MFAOptions 的文档:https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
所以让我们通过控制台启用 SMS MFA,然后检查 GetUser:
的输出
{
"Username": "your-email@example.com",
"UserAttributes": [
{
"Name": "sub",
"Value": "491a3eba-381f-4c87-a7d6-befa21e49e82"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "phone_number_verified",
"Value": "true"
},
{
"Name": "phone_number",
"Value": "+1234567890"
},
{
"Name": "email",
"Value": "your-email@example.com"
}
],
"MFAOptions": [
{
"DeliveryMedium": "SMS",
"AttributeName": "phone_number"
}
],
"PreferredMfaSetting": "SMS_MFA",
"UserMFASettingList": [
"SMS_MFA"
]
}
差不多就这些了。
使用 setPreferredMFA 时,即使设置了 setPreferredMFA,Cognito 用户池中的 SMS MFA 状态也会被禁用。
SMS MFA 状态代表什么,当我启用或禁用它时它有什么作用?
谢谢
这只不过是 AWS console/API 响应中的不一致。例子: 让我们为用户启用 SMS MFA:
aws cognito-idp set-user-mfa-preference --sms-mfa-settings Enabled=true,PreferredMfa=true --access-token <value>
是的,在控制台中它看起来仍然没有启用 SMS MFA。但是这是错误的。让我们获取用户的数据:
aws cognito-idp get-user --access-token <value>
{
"Username": "your-email@example.com",
"UserAttributes": [
{
"Name": "sub",
"Value": "491a3eba-381f-4c87-a7d6-befa21e49e82"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "phone_number_verified",
"Value": "true"
},
{
"Name": "phone_number",
"Value": "+1234567890"
},
{
"Name": "email",
"Value": "your-email@example.com"
}
],
"PreferredMfaSetting": "SMS_MFA",
"UserMFASettingList": [
"SMS_MFA"
]
}
你要看的是PreferredMfaSetting属性。它会告诉您用户为 himself/herself.
如果您现在尝试像这样进行身份验证:
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id <value> --auth-parameters USERNAME=<value>,PASSWORD=<value>
您将收到这样的回复:
{
"ChallengeName": "SMS_MFA",
"Session": "<session-value>",
"ChallengeParameters": {
"CODE_DELIVERY_DELIVERY_MEDIUM": "SMS",
"CODE_DELIVERY_DESTINATION": "+*********7890",
"USER_ID_FOR_SRP": "your-email@example.com"
}
}
好的,控制台中的这个东西在做什么?它实际上已被弃用。在此处查看 MFAOptions 的文档:https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html
所以让我们通过控制台启用 SMS MFA,然后检查 GetUser:
{
"Username": "your-email@example.com",
"UserAttributes": [
{
"Name": "sub",
"Value": "491a3eba-381f-4c87-a7d6-befa21e49e82"
},
{
"Name": "email_verified",
"Value": "true"
},
{
"Name": "phone_number_verified",
"Value": "true"
},
{
"Name": "phone_number",
"Value": "+1234567890"
},
{
"Name": "email",
"Value": "your-email@example.com"
}
],
"MFAOptions": [
{
"DeliveryMedium": "SMS",
"AttributeName": "phone_number"
}
],
"PreferredMfaSetting": "SMS_MFA",
"UserMFASettingList": [
"SMS_MFA"
]
}
差不多就这些了。