限制登录到 AWS 联合身份池的企业 Google 域

Question

我正在使用带有 aws-amplify ( https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities )的联合身份池，我想将域的范围限制为我的 google 域组织（例如 johndoe@foobar.com）。

似乎没有办法将其锁定在 Google API 控制台或 AWS Cognito 身份池设置上，只是暗示可以将 hd 参数附加到 google 请求以按域对其进行限制（这仍然会需要修改 aws-amplify 核心包），它仍然不安全，因为任何人都可以在没有高清的情况下发出相同的请求并获得对 cognito 的访问权限。

我的问题是：有没有办法限制 google oauth 密钥只允许 @foobar.com 电子邮件地址，或者使用 aws cognito 实现相同的限制？

Answer 1

我相信我找到了一个解决方案（从几个快速测试中它似乎工作正常）

不要试图通过角色中的信任关系来控制托管域部分。

• 转到：Cognito / 编辑身份池 / 身份验证提供程序

• 选择 Google+

• 在“经过身份验证的角色选择”中选择“使用规则选择角色”

• 现在要求声明“hd”为“等于” <your-domain>

• 将“角色解析”设置为“拒绝”

来源：https : //forums.aws.amazon.com/thread.jspa?messageID=527303

这是一个 cloudformation 堆栈，可一次性设置所有内容（身份池、角色等）。您需要在所有标有EDIT HERE:注释的地方进行必要的调整。

AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"


Resources:
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: identity_pool_a
      AllowUnauthenticatedIdentities: false
      SupportedLoginProviders: 
        # EDIT HERE:
        "accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"

  IdentityForbiddenRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow 
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: None
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Deny
                Action: "*"
                Resource: "*"

  IdentityAllowedRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: UserPermissions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                # EDIT HERE:
                Action: "s3:GetObject"
                # EDIT HERE:
                Resource: "arn:aws:s3:::my-bucket/*"

  RoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles: 
        unauthenticated: !GetAtt IdentityForbiddenRole.Arn
        authenticated: !GetAtt IdentityForbiddenRole.Arn
      RoleMappings: 
        accounts.google.com:
          AmbiguousRoleResolution: Deny
          Type: Rules
          RulesConfiguration:
            Rules:
              - Claim: hd
                MatchType: Equals
                # EDIT HERE:
                Value: mydomain.com
                RoleARN: !GetAtt IdentityAllowedRole.Arn