- 新しい順
- 投票が多い順
- コメントが多い順
Hi appsg,
The issue with implicit grant is essentially that your callback receive the access token as query string param. This represents a security risk and apart from pet projects, should be avoided for production workloads.
With Authentication grant instead, your call back will NOT receive the user pool generated access token, but an authorization code. Your application has to use that authorization code as part of a HTTP Post request to the Cognito TOKEN Endpoint (https://docs.aws.amazon.com/cognito/latest/developerguide/token-endpoint.html).
The response of above POST call, will contain a response as this:
{ "access_token":"eyJra1example", "id_token":"eyJra2example", "refresh_token":"eyJj3example", "token_type":"Bearer", "expires_in":3600 }
From there, you can store those tokens in a DynamoDB encrypted database (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html), which your app can pass as Bearer tokens in Authorization header when calling an HTTP REST API gateway.
Your application is responsible to reissue new tokens when expired (via refresh tokens), while the api gateway is responsible, via Cognito authorizers. This guide should help you through: https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html
Hope it helps!
関連するコンテンツ
AWS公式更新しました 1年前- AWS公式更新しました 9ヶ月前
- AWS公式更新しました 2年前
Awesome. The Dynamo DB part was the missing piece of the puzzle. I was struggling how tokens should be stored once issued since requiring the users to log in each time they need a token is not an option. Thanks a lot