是否可以使用 aws cognito google oauth access_token 通过 boto3 获取临时凭证?
Is it possible to get temporary credentials via boto3 with aws cognito google oauth access_token?
我想授权用户通过 AWS Cognito(Google 身份提供商)对 API 的请求。目前我可以从 aws 接收 JWT 令牌(id_token 和 access_token)并授权请求,但我是使用 id_token 而不是 access_token 来完成的。但是有些文章说使用 id_token 授权 API 请求是一种不好的做法(在 headers 中从前端发送 id_token),我应该使用 access_token。是否可以用 access_token 而不是 id_token 做同样的事情?
import boto3
id_token = get_token_from_headers(headers)
identity_client = boto3.client('cognito-identity')
id_response = identity_client.get_id(
AccountId='account_id',
IdentityPoolId='identity_pool_id',
Logins={
'cognito-idp.us-west-1.amazonaws.com/us-west-1_blabla: id_token'
}
)
response = identity_client.get_credentials_for_identity(
IdentityId=id_response['IdentityId'],
Logins={
'cognito-idp.us-west-1.amazonaws.com/us-west-1_blabla': id_token
})
access_key = response['Credentials']['AccessKeyId']
secret_key = response['Credentials']['SecretKey']
session_key = response['Credentials']['SessionToken']
看起来它能够使用 access_token 从 assume_role_with_web_identity link to docs 获取临时凭证,但文档说此方法的 WebIdentityToken 参数只接受 access_token 在 oAuth 提供商是 Amazon 和 Facebook 的情况下
似乎总是通过身份令牌通过 AWS Cognito 身份池检索临时凭证:https://docs.aws.amazon.com/cognito/latest/developerguide/google.html
Successful authentication results in a response object that contains an id_token, which Amazon Cognito uses to authenticate the user and generate a unique identifier
我认为这不会破坏安全性,因为 AWS Cognito 身份池专门设置为使用身份令牌,您可以根据身份令牌配置将分配给临时 AWS 凭证的 IAM 角色从身份池返回给您:https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html, https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
但是,您不应将 Google id_token 发送到(我假设基于 AWS)API 您获得 AWS 临时凭证的地方。
相反,您应该在客户端上获取 AWS 临时凭证,然后使用 Signature V4 header.
调用 AWS 资源
或者,如果您的 API 可以担任 AWS 服务角色并且您不需要获取临时 AWS 凭证,则可以使用 AWS Cognito 用户池。他们还支持 Google 身份提供者 - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social-idp.html
对于托管在 EC2 上的 API,您无法真正使用 Cognito 身份池生成的安全凭证,因为您无法通过 IAM 策略有效控制 EC2 HTTP(S) 端口访问。但是,您的 EC2 托管应用程序可以接受 Google id_token 并验证它 - https://developers.google.com/identity/sign-in/web/backend-auth#:~:text=After%20you%20receive%20the%20ID,to%20verify%20the%20token's%20signature. There is no reason to use identity pool, and there is no security risk of authenticating API access by Google id_token as the token is signed by Google and you can verify that on your API. You can also use Cognito User Pools: You retrieve the access token from the user pool on the client and send it to the API hosted on the EC2. You then validate access token on the hosted application - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
如果您的EC2是通过Elastic Load Balancer访问的,您可以将用户认证转移到ELB级别。您可以使用 Cognito 用户池或 Google 身份提供者用户身份验证 - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
对于 Amazon API 网关,您可以使用 Cognito 身份池:您在客户端生成的安全凭证将允许执行给定的 API 网关,并且您在 [=33] 上启用 IAM 身份验证=] 网关 - https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/. You can also use the Cognito User Pools: You retrieve the access token from the user pool on the client and send it to API Gateway which has Cognito authentication enabled - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
我想授权用户通过 AWS Cognito(Google 身份提供商)对 API 的请求。目前我可以从 aws 接收 JWT 令牌(id_token 和 access_token)并授权请求,但我是使用 id_token 而不是 access_token 来完成的。但是有些文章说使用 id_token 授权 API 请求是一种不好的做法(在 headers 中从前端发送 id_token),我应该使用 access_token。是否可以用 access_token 而不是 id_token 做同样的事情?
import boto3
id_token = get_token_from_headers(headers)
identity_client = boto3.client('cognito-identity')
id_response = identity_client.get_id(
AccountId='account_id',
IdentityPoolId='identity_pool_id',
Logins={
'cognito-idp.us-west-1.amazonaws.com/us-west-1_blabla: id_token'
}
)
response = identity_client.get_credentials_for_identity(
IdentityId=id_response['IdentityId'],
Logins={
'cognito-idp.us-west-1.amazonaws.com/us-west-1_blabla': id_token
})
access_key = response['Credentials']['AccessKeyId']
secret_key = response['Credentials']['SecretKey']
session_key = response['Credentials']['SessionToken']
看起来它能够使用 access_token 从 assume_role_with_web_identity link to docs 获取临时凭证,但文档说此方法的 WebIdentityToken 参数只接受 access_token 在 oAuth 提供商是 Amazon 和 Facebook 的情况下
似乎总是通过身份令牌通过 AWS Cognito 身份池检索临时凭证:https://docs.aws.amazon.com/cognito/latest/developerguide/google.html
Successful authentication results in a response object that contains an id_token, which Amazon Cognito uses to authenticate the user and generate a unique identifier
我认为这不会破坏安全性,因为 AWS Cognito 身份池专门设置为使用身份令牌,您可以根据身份令牌配置将分配给临时 AWS 凭证的 IAM 角色从身份池返回给您:https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html, https://docs.aws.amazon.com/cognito/latest/developerguide/role-based-access-control.html
但是,您不应将 Google id_token 发送到(我假设基于 AWS)API 您获得 AWS 临时凭证的地方。 相反,您应该在客户端上获取 AWS 临时凭证,然后使用 Signature V4 header.
调用 AWS 资源或者,如果您的 API 可以担任 AWS 服务角色并且您不需要获取临时 AWS 凭证,则可以使用 AWS Cognito 用户池。他们还支持 Google 身份提供者 - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-social-idp.html
对于托管在 EC2 上的 API,您无法真正使用 Cognito 身份池生成的安全凭证,因为您无法通过 IAM 策略有效控制 EC2 HTTP(S) 端口访问。但是,您的 EC2 托管应用程序可以接受 Google id_token 并验证它 - https://developers.google.com/identity/sign-in/web/backend-auth#:~:text=After%20you%20receive%20the%20ID,to%20verify%20the%20token's%20signature. There is no reason to use identity pool, and there is no security risk of authenticating API access by Google id_token as the token is signed by Google and you can verify that on your API. You can also use Cognito User Pools: You retrieve the access token from the user pool on the client and send it to the API hosted on the EC2. You then validate access token on the hosted application - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
如果您的EC2是通过Elastic Load Balancer访问的,您可以将用户认证转移到ELB级别。您可以使用 Cognito 用户池或 Google 身份提供者用户身份验证 - https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
对于 Amazon API 网关,您可以使用 Cognito 身份池:您在客户端生成的安全凭证将允许执行给定的 API 网关,并且您在 [=33] 上启用 IAM 身份验证=] 网关 - https://aws.amazon.com/premiumsupport/knowledge-center/iam-authentication-api-gateway/. You can also use the Cognito User Pools: You retrieve the access token from the user pool on the client and send it to API Gateway which has Cognito authentication enabled - https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html