0 python api amazon-cognito boto3 password-less
我一直在尝试使用 AWS Cognito & API Gateway & Lambda (Python) 实施无密码身份验证
我关注了这些文章: https://medium.com/digicred/password-less-authentication-in-cognito-cafa016d4db7 https://medium.com/@pjatocheseminario/passwordless-api-using-cognito-and-serverless-框架-7fa952191352
我已配置 Cognito(以接受 CUSTOM_AUTH)、添加 Lambda 并创建 API 端点:
/sign-up
/initiate-auth (aka initiate login)
/respond-to-auth-challenge (aka (verify login)
调用 initiateAuth 时,我收到以下响应:调用 InitiateAuth 操作时发生错误 (NotAuthorizedException):用户名或密码不正确。”
我使用的是不需要密码的 CUSTOM_AUTH,并且用户名绝对正确,因为它实际上启动了身份验证流程并且我收到了代码,但是由于 boto3 不响应会话,我无法继续身份验证。
我就是这样称呼 Cognito 的:
res = cognito.initiate_auth(
ClientId=client_id,
AuthFlow="CUSTOM_AUTH",
AuthParameters={
"USERNAME": email,
"PASSWORD": random_password
}
)
这可能是我遗漏的一些小东西,但我不知道是什么。
您的客户端代码看起来不错,我的有ClientId参数,但如果您的代码没有引发异常,那么应该没问题。除非您Generate client secret在创建应用程序客户端时选中了选项。如果是这种情况,那么您必须SECRET_HASH像AuthParameters下面这样传入:
import hmac
import hashlib
import base64
def get_secret_hash(email, client_id, client_secret):
"""
A keyed-hash message authentication code (HMAC) calculated using
the secret key of a user pool client and username plus the client
ID in the message.
"""
message = email + client_id
client_secret = str.encode(client_secret)
dig = hmac.new(client_secret, msg=message.encode('UTF-8'), digestmod=hashlib.sha256).digest()
return base64.b64encode(dig).decode()
client.admin_initiate_auth(
UserPoolId=COGNITO_USER_POOL_ID,
ClientId=CLIENT_ID,
AuthFlow='CUSTOM_AUTH',
AuthParameters={
'USERNAME': email,
'SECRET_HASH': get_secret_hash(email, CLIENT_ID, CLIENT_SECRET) # Omit if secret key option is disabled.
},
)
接下来,仔细检查以下内容:
在 下App clients > * > Auth Flows Configuration,ALLOW_CUSTOM_AUTH您的客户是否启用了该选项?
在 下App integration > App client settings > * > Enabled Identity Providers,是否选择了您的用户池?
如果您正确设置了 Cognito,但您的代码仍然无法工作,那么它可能是 lambda 代码。您可能知道这一点,但对于无密码自定义身份验证,您需要使用 3 个 lambda 触发器:Define Auth Challenge、Create Auth Challenge和Verify Auth Challenge。
自定义 auth lambda 事件按以下顺序触发:
def lambda_handler(event, context):
if event['triggerSource'] == 'DefineAuthChallenge_Authentication':
event['response']['challengeName'] = 'CUSTOM_CHALLENGE'
event['response']['issueTokens'] = False
event['response']['failAuthentication'] = False
if event['request']['session']: # Needed for step 4.
# If all of the challenges are answered, issue tokens.
event['response']['issueTokens'] = all(
answered_challenge['challengeResult'] for answered_challenge in event['request']['session'])
return event
def lambda_handler(event, context):
if event['triggerSource'] == 'CreateAuthChallenge_Authentication':
if event['request']['challengeName'] == 'CUSTOM_CHALLENGE':
event['response']['privateChallengeParameters'] = {}
event['response']['privateChallengeParameters']['answer'] = 'YOUR CHALLENGE ANSWER HERE'
event['response']['challengeMetadata'] = 'AUTHENTICATE_AS_CHALLENGE'
return event
然后您的客户必须应对挑战:
client.respond_to_auth_challenge(
ClientId=CLIENT_ID,
ChallengeName='CUSTOM_CHALLENGE',
Session=session,
ChallengeResponses={
'USERNAME': email,
'ANSWER': 'Extra Protection!',
'SECRET_HASH': get_secret_hash(email, CLIENT_ID, CLIENT_SECRET) # Omit if secret key option is disabled.
}
)
def lambda_handler(event, context):
if event['triggerSource'] == 'VerifyAuthChallengeResponse_Authentication':
if event['request']['challengeAnswer'] == event['request']['privateChallengeParameters']['answer']:
event['response']['answerCorrect'] = True
return event
event['response']['issueTokens']为True返回令牌(步骤 1 中显示的代码),或发出另一个质询以继续重复步骤 1-3。最后,确保您的用户池是否也启用了不区分大小写选项。CUSTOM_AUTH另外,如果用户处于状态,我无法准确回忆流程是否有效FORCE_CHANGE_PASSWORD。如果用户处于该状态,则尝试使用 sdk 设置永久密码以将状态设置为CONFIRMED。
| 归档时间: |
|
| 查看次数: |
2418 次 |
| 最近记录: |