我在浏览器脚本中获取凭据时遇到问题。
身份验证服务器返回 cognito_identityId 和 cognito_token。
然后我设置了一个Cookie:
- $.cookie('cognitoidentityId')
- $.cookie('cognito_token')
我尝试在浏览器上通过 4 种方式获取凭据,但均失败:
-
认知身份凭证
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:xxxxxxxxxxxx'
IdentityId: $.cookie('cognito_identityId'),
Logins: {
'myauth': $.cookie('cognito_token')
}
});
// => 错误:参数中缺少必需的键“IdentityId”
-
假设角色与网络身份
var params = {
RoleArn: 'arn:aws:iam::xxxxxxxxxxxx:role/Cognito_xxxxxxxAuth_Role',
RoleSessionName: 'xxxxxxxxxxx',
WebIdentityToken: $.cookie('cognito_token'),
DurationSeconds: 900,
ProviderId: 'myauth'
};
var sts = new AWS.STS({apiVersion: '2011-06-15'});
sts.assumeRoleWithWebIdentity(params, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
// => AccessDenied:无权执行 sts:AssumeRoleWithWebIdentity
政策文件
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:xxxxxxxxxxxxx"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
-
获取身份凭证
var params = {
IdentityId: $.cookie('cognito_identityId'),
Logins: {
"myauth": $.cookie('oauth.io_token')
}
};
var cognitoidentity = new AWS.CognitoIdentity({apiVersion: '2014-06-30'});
cognitoidentity.getCredentialsForIdentity(params, function(err, data) {
if (err) {
console.log(err, err.stack); // an error occurred
}
else {
console.log(data); // successful response
}
});
// => InvalidParameterException: 请提供有效的公共提供者
-
网络身份凭证
AWS.config.credentials = new AWS.WebIdentityCredentials({
RoleArn: 'arn:aws:iam::xxxxxxxx:role/Cognito_xxxxxxxxxxAuth_Role',
WebIdentityToken: $.cookie('cognito_token')
});
// => 错误:有 2 个验证错误:
// * MissingRequiredParameter: 参数中缺少必需的键“IdentityPoolId”
// * MissingRequiredParameter: 参数中缺少必需的键“IdentityId”
问题:
谢谢。
谢谢你的好意。
我采纳了你的建议,但没有改变。
错误消息。
POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request)
POST https://cognito-identity.us-east-1.amazonaws.com/ 400 (Bad Request)
Error: Missing required key 'IdentityId' in params
at fail (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:2163:37)
at validateStructure (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:2084:14)
at validateMember (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:2110:21)
at validate (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:2059:10)
at Request.VALIDATE_PARAMETERS (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:800:32)
at Request.callListeners (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:3913:20)
at callNextListener (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:3903:12)
at chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:787:9
at finish (chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:126:7)
at chrome-extension://hmjdjbikinkmjbilihjibcihbkbjdgjf/bower_components/aws-sdk-js/dist/aws-sdk.js:142:9
下面链接有源代码。
https://github.com/bisque33/my-custom-dictionary https://github.com/bisque33/my-custom-dictionary
服务器端是AWS Lambda函数。
var aws = require('aws-sdk');
aws.config.region = 'us-east-1';
var cognitoidentity = new aws.CognitoIdentity();
var identityPoolId = 'us-east-1:0dccff0d-5fd7-4d14-b38f-d27204feaecc';
console.log('Loading function');
exports.handler = function(event, context) {
console.log('token: %s', event.token);
var params = {
IdentityPoolId: identityPoolId,
Logins: {
'oauth.io': event.token
}
};
cognitoidentity.getOpenIdTokenForDeveloperIdentity(params,function(err,data){
if(err){
console.log(err);
context.fail('Something went wrong');
}else{
context.succeed(data);
}
});
};
该程序是 Google-Chrome-Extension。
- AWS Lambda 函数通过 getOpenIdTokenForDeveloperIdentity 返回令牌。
- app/scripts/popup.js 调用 Lambda 函数并设置 cookie。
- app/scripts/background.js 调用 AWS.config.credentials.get,并返回错误。
难道是我用错了?
更新附加信息
感谢您提供额外信息。
错误出现在background.js的第104行
AWS.config.credentials.get(function(){
和background.js上的115行
dataset.synchronize(
而且,我的解释还不够。 Facebook 身份验证需要域名(例如 http://example.com)。但是,Google-Chrome-Ext 没有域。它有一个域“chrome-extension://xxxxxxxxxxxxxxxxxxx”。然后,我用https://oauth.io https://oauth.io。它代理任何身份验证并接受 chrome-extension 域。
Popup.js 通过 oauth.io sdk 进行 Facebook 身份验证。它获取一个 facebook 令牌,并提供给 getOpenIdTokenForDeveloperIdentity。我认为 facebook token.substr(0,14) 是独一无二的。但是,如果错误,我会使用另一个唯一标识符(例如电子邮件地址。)
对不起我错了。 AWS.config.credentials.get 给出错误:
Error: Invalid login token.
并且,dataset.synchronize 显示此错误:
Error: Missing required key 'IdentityId' in params