1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
1
You can use Cognito's "Admin Initiate Auth" operation to authenticate the server to the API. This operation allows you to authenticate users as an administrator. You won't need to use user credentials or a refresh token this way.
Here are the steps to take:
- Create an IAM role with appropriate permissions for your server to access Cognito's Admin APIs. You must specifically grant the "cognito-idp:AdminInitiateAuth" permission.
- When you receive a message from a third-party service (such as Signal or WhatsApp), use the account ID to find the corresponding Cognito user in your user pool.
- To authenticate the user and obtain an ID token, use the Cognito "Admin Initiate Auth" API:
import boto3
client = boto3.client('cognito-idp')
response = client.admin_initiate_auth(
UserPoolId='your-user-pool-id',
ClientId='your-app-client-id',
AuthFlow='ADMIN_USER_PASSWORD_AUTH',
AuthParameters={
'USERNAME': 'user_name', # The user's Cognito username
'PASSWORD': 'user_password', # A temporary password or the user's actual password
},
ClientMetadata={
'third_party_account_id': 'account_id', # The third-party account ID
}
)
- Make a call to your API on behalf of the user using the ID token you obtained.
- Verify the ID token in your Lambda authorizer and look for the third-party account ID in the "ClientMetadata" section. Make decisions based on the user's permissions using this information to validate the request.
This approach is secure as long as best practices for handling access keys and tokens are followed. Make sure to secure your server's IAM credentials and any sensitive data.
Keep in mind that using "Admin Initiate Auth" on the server involves handling user passwords, which could be a security risk. Consider using OAuth 2.0 with a custom grant type or implementing a separate custom authentication flow for your server that does not require user credentials if possible.
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor einem Jahr