无法通过 aws cognito 使用请求

Question

所以我已经设置了 Cognito 并使用 boto3 我可以使用以下代码获得 AccessToken、IdToken 和 RefreshToken：

client = boto3.client('cognito-idp', region_name="us-east-1")
resp = client.initiate_auth(
    AuthFlow='USER_PASSWORD_AUTH',
    AuthParameters={
        'USERNAME': username,
        'PASSWORD': pwd,
        'SECRET_HASH': secret_hash
    },
    ClientId=app_client_id,
)

到目前为止一切顺利。但现在我正在尝试像这样访问我的资源：

# A dns entry pointing to a LoadBalancer using Cognito on port 443
aws_lb_endpoint = "https://my_endpoint.com/"
auth_endpoint = "https://myendpoint.auth.us-east-1.amazoncognito.com"

id_token = resp['AuthenticationResult']['IdToken']

r = requests.get(aws_lb_endpoint, headers={'Authorization': id_token})

但我没有让我的网页在 Cognito 后面，而是得到 Cognito 登录页面作为回报：

<!DOCTYPE html>
<html lang="en">
<head><head>
    <link href="https://d3oia8etllorh5.cloudfront.net/20201215211355/css/bootstrap.min.css" rel="stylesheet"
        media="screen" />
    <link href="https://d3oia8etllorh5.cloudfront.net/20201215211355/css/cognito-login.css" rel="stylesheet"
        media="screen" />
    
    <title>Signin</title>

    <script src="https://d3oia8etllorh5.cloudfront.net/20201215211355/js/amazon-cognito-advanced-security-data.min.js" ></script>
    <script>
    function getAdvancedSecurityData(formReference) {
        if (typeof AmazonCognitoAdvancedSecurityData === "undefined") {
            return true;
        }

        // UserpoolId is not available on frontend for springboard. We do not use userPoolId
        // anyway other than put in context data. 
        var userPoolId = "";
        var clientId = getUrlParameter("client_id");
...

这是关于如何将 Cognito 连接到 ALB 的 terraform 代码：​​

resource "aws_lb_listener" "front_end_ssl" {
  load_balancer_arn = aws_lb.my_alb.arn
  port = "443"
  protocol = "HTTPS"
  ssl_policy = "ELBSecurityPolicy-2016-08"
  certificate_arn = var.certificate_arn

  default_action {
    type = "authenticate-cognito"

    authenticate_cognito {
      user_pool_arn       = aws_cognito_user_pool.my_pool.arn
      user_pool_client_id = aws_cognito_user_pool_client.webfront_pool_client.id
      user_pool_domain    = aws_cognito_user_pool_domain.my_pool_domain.domain
    }
  }

  default_action {
    type = "forward"
    target_group_arn = aws_lb_target_group.my_group_of_ec2_instances.arn
  }
}

resource "aws_cognito_user_pool_client" "webfront_pool_client" {
  name = "webfront_pool_client"

  user_pool_id = aws_cognito_user_pool.my_pool.id

  # Secret is mandatory here for the loadbalancer
  generate_secret = true
  prevent_user_existence_errors = "ENABLED"
  callback_urls = [
    "https://${aws_route53_record.server[0].fqdn}/oauth2/idpresponse"
  ]
  allowed_oauth_flows_user_pool_client = true

  # client_credentials would be ideal here for machine-to-machine communication. But we can't use client_credentials with Aws ALB
  allowed_oauth_flows = [
    "code"
  ]
  allowed_oauth_scopes = [
    "email",
    "openid"
  ]
  explicit_auth_flows = [
    "USER_PASSWORD_AUTH"
  ]
  supported_identity_providers = [
    "COGNITO"
  ]
}

有谁知道我如何通过 REST 请求并使用 IdToken 访问 Cognito 登录页面后面的资源？谢谢！

Answer 1

您的代码看起来不错。如果您的应用程序和 Cognito 配置正确，则问题可能是您在提供 id 令牌时缺少 Authorization 标头中的 Bearer 前缀。

请尝试：

r = requests.get(aws_lb_endpoint, headers={'Authorization': 'Bearer ' + id_token})

请考虑阅读此related SO question，我认为这可能会有所帮助。