如何在Java sdk后端中配置AWS用户认知身份验证流程以生成身份令牌和访问令牌?

编程问答 2022-07-26

问题描述

  1. 我正在使用AWS Cognito身份验证进行签名机制。为了获取凭据(访问,秘密和会话令牌),我们需要获取身份令牌。
  2. 我正在获取用户名,密码,clientId,userPoolId,identityPoolId信息。但是,当我尝试使用USER_PASSWORD_AUTH作为身份验证流类型生成ID令牌时,出现以下错误 原因:com.amazonaws.services.cognitoidp.model.AWSCognitoIdentityProviderException:缺少身份验证令牌(服务:AWSCognitoIdentityProvider;状态代码:400;错误代码:MissingAuthenticationTokenException;请求ID :;代理:null)

下面是代码 

AnonymousAWSCredentials awsCreds = new AnonymousAWSCredentials();

    AWSCognitoIdentityProvider provider = AWSCognitoIdentityProviderClientBuilder.standard()
            .withCredentials(new AWsstaticCredentialsProvider(awsCreds))
            .withRegion(//region)
            .build();
           

    AdminInitiateAuthRequest authRequest = new AdminInitiateAuthRequest()
            .withAuthFlow(AuthFlowType.USER_PASSWORD_AUTH)
            .withClientId("")
            .withUserPoolId("")
            .withAuthParameters(map);
    Map<String,String> map = new HashMap<>();
    map.put("USERNAME","");
    map.put("PASSWORD","");

这里的地图将具有用户名和密码。

有人可以提供有关如何在Java中配置身份验证以生成ID令牌和访问令牌的帮助吗?预先感谢!

解决方法

您的代码可能如下所示。请注意:

  1. 使用ADMIN_USER_PASSWORD_AUTH流进行身份验证。请参阅 AdminInitiateAuth

  2. 在Cognito的客户端设置中,应在“身份验证流程配置”部分下启用下一个选项“对用于身份验证的管理API启用用户名密码auth(ALLOW_ADMIN_USER_PASSWORD_AUTH)” 。。。 > 

     public static void auth(String username,String password) {

 AwsBasicCredentials awsCreds = AwsBasicCredentials.create(AWS_KEY,AWS_SECRET);

 CognitoIdentityProviderClient identityProviderClient =
         CognitoIdentityProviderClient.builder()
                 .credentialsProvider(StaticCredentialsProvider.create(awsCreds))
                 .region(Region.of(REGION))
                 .build();

 final Map<String,String> authParams = new HashMap<>();
 authParams.put("USERNAME",username);
 authParams.put("PASSWORD",password);
 authParams.put("SECRET_HASH",calculateSecretHash(CLIENT_ID,CLIENT_SECRET,username));

 final AdminInitiateAuthRequest authRequest = AdminInitiateAuthRequest.builder()
         .authFlow(AuthFlowType.ADMIN_USER_PASSWORD_AUTH)
         .clientId(CLIENT_ID)
         .userPoolId(POOL_ID)
         .authParameters(authParams)
         .build();

 AdminInitiateAuthResponse result = identityProviderClient.adminInitiateAuth(authRequest);

 System.out.println(result.authenticationResult().accessToken());
 System.out.println(result.authenticationResult().idToken());

    }

  3. 方法calculateSecretHash来自AWS文档Signing Up and Confirming User Accounts

     private static String calculateSecretHash(String userPoolClientId,String userPoolClientSecret,String userName) {
 final String HMAC_SHA256_ALGORITHM = "HmacSHA256";

 SecretKeySpec signingKey = new SecretKeySpec(
         userPoolClientSecret.getBytes(StandardCharsets.UTF_8),HMAC_SHA256_ALGORITHM);
 try {
     Mac mac = Mac.getInstance(HMAC_SHA256_ALGORITHM);
     mac.init(signingKey);
     mac.update(userName.getBytes(StandardCharsets.UTF_8));
     byte[] rawHmac = mac.doFinal(userPoolClientId.getBytes(StandardCharsets.UTF_8));
     return Base64.getEncoder().encodeToString(rawHmac);
 } catch (Exception e) {
     throw new RuntimeException("Error while calculating ");
 }}
access-keysamazon-cognitoauthenticationaws-userpoolsjavajava