您的客户端代码看起来ClientId
不错,我的代码中有参数,但如果您的代码没有引发异常,那么它应该没问题。除非您在Generate client secret
创建应用程序客户端时选中了选项。如果是这种情况,那么您必须SECRET_HASH
像AuthParameters
下面这样传入:
import hmac
import hashlib
import base64
def get_secret_hash(email, client_id, client_secret):
"""
A keyed-hash message authentication code (HMAC) calculated using
the secret key of a user pool client and username plus the client
ID in the message.
"""
message = email + client_id
client_secret = str.encode(client_secret)
dig = hmac.new(client_secret, msg=message.encode('UTF-8'), digestmod=hashlib.sha256).digest()
return base64.b64encode(dig).decode()
client.admin_initiate_auth(
UserPoolId=COGNITO_USER_POOL_ID,
ClientId=CLIENT_ID,
AuthFlow='CUSTOM_AUTH',
AuthParameters={
'USERNAME': email,
'SECRET_HASH': get_secret_hash(email, CLIENT_ID, CLIENT_SECRET) # Omit if secret key option is disabled.
},
)
接下来,仔细检查以下内容:
在 下App clients > * > Auth Flows Configuration
,是否ALLOW_CUSTOM_AUTH
为您的客户启用了选项?
在 下App integration > App client settings > * > Enabled Identity Providers
,您的用户池是否被选中?
如果您正确设置了 Cognito 并且您的代码仍然无法工作,那么它可能是 lambda 代码。您可能知道这一点,但对于无密码自定义身份验证,您需要使用 3 个 lambda 触发器:Define Auth Challenge
、Create Auth Challenge
和Verify Auth Challenge
.
自定义身份验证 lambdas 事件按以下顺序触发:
- 定义AuthChallenge_Authentication:
- 从技术上讲,可以在此处将 issueTokens 设置为 True 以返回令牌,而无需执行其余步骤。
def lambda_handler(event, context):
if event['triggerSource'] == 'DefineAuthChallenge_Authentication':
event['response']['challengeName'] = 'CUSTOM_CHALLENGE'
event['response']['issueTokens'] = False
event['response']['failAuthentication'] = False
if event['request']['session']: # Needed for step 4.
# If all of the challenges are answered, issue tokens.
event['response']['issueTokens'] = all(
answered_challenge['challengeResult'] for answered_challenge in event['request']['session'])
return event
- CreateAuthChallenge_Authentication:
def lambda_handler(event, context):
if event['triggerSource'] == 'CreateAuthChallenge_Authentication':
if event['request']['challengeName'] == 'CUSTOM_CHALLENGE':
event['response']['privateChallengeParameters'] = {}
event['response']['privateChallengeParameters']['answer'] = 'YOUR CHALLENGE ANSWER HERE'
event['response']['challengeMetadata'] = 'AUTHENTICATE_AS_CHALLENGE'
return event
然后您的客户必须回应挑战:
client.respond_to_auth_challenge(
ClientId=CLIENT_ID,
ChallengeName='CUSTOM_CHALLENGE',
Session=session,
ChallengeResponses={
'USERNAME': email,
'ANSWER': 'Extra Protection!',
'SECRET_HASH': get_secret_hash(email, CLIENT_ID, CLIENT_SECRET) # Omit if secret key option is disabled.
}
)
- 验证验证挑战响应_验证:
def lambda_handler(event, context):
if event['triggerSource'] == 'VerifyAuthChallengeResponse_Authentication':
if event['request']['challengeAnswer'] == event['request']['privateChallengeParameters']['answer']:
event['response']['answerCorrect'] = True
return event
- 定义AuthChallenge_Authentication:
- 设置
event['response']['issueTokens']
为True
返回令牌(步骤 1 中显示的代码),或发出另一个质询以继续重复步骤 1-3。
最后,确保您的用户池是否也启用了不区分大小写选项。CUSTOM_AUTH
此外,如果用户处于FORCE_CHANGE_PASSWORD
状态,我无法准确回忆流是否有效。如果用户处于该状态,则尝试使用 sdk 设置永久密码以将状态设置为CONFIRMED
.