2

I have been trying to create a user login using the aws-sdk-cpp. I essentially would like a user to register using my app as a user (which will add them to the cognito user pool - I have this working), and then log-in. This login will then provide them access to a specific bucket in the account. I have created a policy which should allow cognito users to access the bucket using the below.

http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html

I have created a user pool and a federated identity in the AWS console, and enabled cognito as a identity provider in the user pool, so I think that side is all correct.

I have tried using the SDK to put this authentication together, using the integration tests from identity-management as a starting point. 

Aws::SDKOptions options;
Aws::InitAPI(options);
{
    const Aws::String userPool_id = "eu-west-1_xxxxxxxxx";
    const Aws::String client_id = "xxxxxxxxxxxxxxxxxxxxxxxxxx";
    const Aws::String region_id = "eu-west-1";
    const Aws::String identityPool_id = "eu-west-1:xxxxxxxxxxxxxxxxx";
    const Aws::String account_id = "xxxxxxxxxxxx";

    Aws::Client::ClientConfiguration clientConfig;
    clientConfig.region = region_id;

    std::shared_ptr<CustomPersistentCognitoIdentityProvider> persistent_provider = std::make_shared<CustomPersistentCognitoIdentityProvider>();
    persistent_provider->SetAccountId(account_id);
    persistent_provider->SetIdentityPoolId(identityPool_id);

    //Aws::Map<Aws::String, LoginAccessTokens> logins;
    //LoginAccessTokens loginAccessTokens;
    //loginAccessTokens.accessToken = LOGIN_ID;
    //logins[LOGIN_KEY] = loginAccessTokens;
    //persistent_provider->SetLogins("cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxxxxxx", client_id);

    auto cognito_client = std::make_shared<Aws::CognitoIdentity::CognitoIdentityClient>(clientConfig);

    Aws::CognitoIdentity::Model::GetIdRequest id_request;
    id_request.SetAccountId(account_id);
    id_request.SetIdentityPoolId(identityPool_id);
    id_request.AddLogins("cognito-idp.eu-west-1.amazonaws.com/eu-west-1_xxxxxx", client_id);
    id_request.AddLogins("USERNAME", "tester@xxxxxxxxx");
    id_request.AddLogins("PASSWORD", "xxxxxxxxxxxxx");
    cognito_client->GetId(id_request);

    Aws::Auth::CognitoCachingAuthenticatedCredentialsProvider authenticated_provider(persistent_provider, cognito_client);
    Aws::Auth::AWSCredentials credentials = authenticated_provider.GetAWSCredentials();

    std::cout << "AccessKeyID : " << credentials.GetAWSAccessKeyId() << std::endl;
    std::cout << "SecretKey : " << credentials.GetAWSSecretKey() << std::endl;

    Aws::S3::S3Client s3_client(credentials, clientConfig);

    S3ListObject(s3_client, "cloudtesting");
    // do stuff with the s3 bucket 
}

Aws::ShutdownAPI(options);

The code above returns empty strings for the access keys.

Adding some debug at the GetId call return:

Request error: NotAuthorizedException Invalid login token. Not a valid OpenId Connect identity token.

I've obviously missed something here, or in the setup. Any suggestions/help/code examples would be greatly appreciated!

4

1 回答 1

2

为了使用 Cognito 用户池进行身份验证,您必须使用CognitoIdentityProviderClient(请参阅 aws/cognito-idp/CognitoIdentityProviderClient.h)。它使用安全远程密码协议 (SRP) 进行身份验证,遗憾的是您必须自己实现。您首先调用InitiateAuth,然后它会回复一些您必须使用RespondToAuthChallenge回复的信息。

这是在适用于 JavaScript 的 Amazon Cognito 身份开发工具包中实现的,您可以将其用作参考。

于 2017-12-15T15:36:01.257 回答