如何使用 C# 和 .NET Core 3.x 管理 AWS Cognito 用户池中的用户?在文档中找不到任何关于它的内容。
【问题讨论】:
标签: c# amazon-web-services .net-core amazon-cognito
@Attilio Gelosa 的原创文章
我写这篇文章是希望它对其他人有所帮助。我不得不阅读一页又一页的文档并从 AWS 专家那里获得帮助(非常感谢 Faustino!),但最后我做到了:能够使用 C# 和 . NET Core 3.x。
在开始之前,我们必须:
请转到 AWS 管理控制台并使用您要使用的管理帐户登录。
转到 AWS Identity and Access Management (IAM) 端点击 Users 链接,然后点击 Add user 按钮。
键入您要使用的用户名,打开程序访问标志并单击下一步:权限按钮。
单击直接附加现有策略,使用“Cognito”过滤策略并单击标志以激活AmazonCognitoPowerUser
单击下一步以到达最后一个选项卡并创建用户。在下一页上,您将确认创建。请记下 Access key ID 值和 Secret access key 值,或者您可以下载包含相同信息的 CSV 文件。
要编辑本地凭据文件,如果您使用的是 Windows,请转到 %USERPROFILE%\.aws\credentials 或使用 Linux ~/.aws/credentials。该文件应该是这样的:
[Profile_name_1]
aws_access_key_id=<ACCESS_KEY_ID_1>
aws_secret_access_key=<SECRET_ACCESS_KEY_1>
[Profile_name_2]
aws_access_key_id=<ACCESS_KEY_ID_2>
aws_secret_access_key=<SECRET_ACCESS_KEY_2>
使用您想要的名称创建一个新部分,并复制您之前记下的访问密钥 ID 和秘密访问密钥。请记下您选择的部分名称。
转到 Cognito 用户池页面并创建一个新池。键入您要使用的名称,然后单击查看默认值。
在下一页,点击添加应用客户端...链接。
点击添加应用客户端。
在下一页上,插入您要使用的应用程序的名称。确保打开以下标志:
请注意禁用“生成客户端密码”标志。
最后,点击创建应用客户端按钮。
现在返回池详细信息,单击返回池详细信息链接。
现在创建新池,点击创建池按钮。
请注意应用客户端设置菜单下的Pool Id和应用客户端ID。
转到用户和组,单击组选项卡,然后单击创建组按钮。
输入新组的名称并点击创建组按钮。
下面的库代码仅用于演示目的。在投入生产之前,有必要添加一个更好的异常处理系统和日志记录。
记得添加以下库:
public class CognitoUserManagement
{
private readonly AWSCredentials awsCredentials;
private readonly AmazonCognitoIdentityProviderClient adminAmazonCognitoIdentityProviderClient;
private readonly AmazonCognitoIdentityProviderClient anonymousAmazonCognitoIdentityProviderClient;
public CognitoUserManagement(string profileName, RegionEndpoint regionEndpoint)
{
CredentialProfileStoreChain credentialProfileStoreChain = new CredentialProfileStoreChain();
if (credentialProfileStoreChain.TryGetAWSCredentials(profileName, out AWSCredentials internalAwsCredentials))
{
awsCredentials = internalAwsCredentials;
adminAmazonCognitoIdentityProviderClient = new AmazonCognitoIdentityProviderClient(
awsCredentials,
regionEndpoint);
anonymousAmazonCognitoIdentityProviderClient = new AmazonCognitoIdentityProviderClient(
new AnonymousAWSCredentials(),
regionEndpoint);
}
else
{
throw new ArgumentNullException(nameof(AWSCredentials));
}
}
public async Task AdminCreateUserAsync(
string username,
string password,
string userPoolId,
string appClientId,
List<AttributeType> attributeTypes)
{
AdminCreateUserRequest adminCreateUserRequest = new AdminCreateUserRequest
{
Username = username,
TemporaryPassword = password,
UserPoolId = userPoolId,
UserAttributes = attributeTypes
};
AdminCreateUserResponse adminCreateUserResponse = await adminAmazonCognitoIdentityProviderClient
.AdminCreateUserAsync(adminCreateUserRequest)
.ConfigureAwait(false);
AdminUpdateUserAttributesRequest adminUpdateUserAttributesRequest = new AdminUpdateUserAttributesRequest
{
Username = username,
UserPoolId = userPoolId,
UserAttributes = new List<AttributeType>
{
new AttributeType()
{
Name = "email_verified",
Value = "true"
}
}
};
AdminUpdateUserAttributesResponse adminUpdateUserAttributesResponse = adminAmazonCognitoIdentityProviderClient
.AdminUpdateUserAttributesAsync(adminUpdateUserAttributesRequest)
.Result;
AdminInitiateAuthRequest adminInitiateAuthRequest = new AdminInitiateAuthRequest
{
UserPoolId = userPoolId,
ClientId = appClientId,
AuthFlow = "ADMIN_NO_SRP_AUTH",
AuthParameters = new Dictionary<string, string>
{
{ "USERNAME", username},
{ "PASSWORD", password}
}
};
AdminInitiateAuthResponse adminInitiateAuthResponse = await adminAmazonCognitoIdentityProviderClient
.AdminInitiateAuthAsync(adminInitiateAuthRequest)
.ConfigureAwait(false);
AdminRespondToAuthChallengeRequest adminRespondToAuthChallengeRequest = new AdminRespondToAuthChallengeRequest
{
ChallengeName = ChallengeNameType.NEW_PASSWORD_REQUIRED,
ClientId = appClientId,
UserPoolId = userPoolId,
ChallengeResponses = new Dictionary<string, string>
{
{ "USERNAME", username },
{ "NEW_PASSWORD", password }
},
Session = adminInitiateAuthResponse.Session
};
AdminRespondToAuthChallengeResponse adminRespondToAuthChallengeResponse = adminAmazonCognitoIdentityProviderClient
.AdminRespondToAuthChallengeAsync(adminRespondToAuthChallengeRequest)
.Result;
}
public async Task AdminAddUserToGroupAsync(
string username,
string userPoolId,
string groupName)
{
AdminAddUserToGroupRequest adminAddUserToGroupRequest = new AdminAddUserToGroupRequest
{
Username = username,
UserPoolId = userPoolId,
GroupName = groupName
};
AdminAddUserToGroupResponse adminAddUserToGroupResponse = await adminAmazonCognitoIdentityProviderClient
.AdminAddUserToGroupAsync(adminAddUserToGroupRequest)
.ConfigureAwait(false);
}
public async Task<AdminInitiateAuthResponse> AdminAuthenticateUserAsync(
string username,
string password,
string userPoolId,
string appClientId)
{
AdminInitiateAuthRequest adminInitiateAuthRequest = new AdminInitiateAuthRequest
{
UserPoolId = userPoolId,
ClientId = appClientId,
AuthFlow = "ADMIN_NO_SRP_AUTH",
AuthParameters = new Dictionary<string, string>
{
{ "USERNAME", username},
{ "PASSWORD", password}
}
};
return await adminAmazonCognitoIdentityProviderClient
.AdminInitiateAuthAsync(adminInitiateAuthRequest)
.ConfigureAwait(false);
}
public async Task AdminRemoveUserFromGroupAsync(
string username,
string userPoolId,
string groupName)
{
AdminRemoveUserFromGroupRequest adminRemoveUserFromGroupRequest = new AdminRemoveUserFromGroupRequest
{
Username = username,
UserPoolId = userPoolId,
GroupName = groupName
};
await adminAmazonCognitoIdentityProviderClient
.AdminRemoveUserFromGroupAsync(adminRemoveUserFromGroupRequest)
.ConfigureAwait(false);
}
public async Task AdminDisableUserAsync(
string username,
string userPoolId)
{
AdminDisableUserRequest adminDisableUserRequest = new AdminDisableUserRequest
{
Username = username,
UserPoolId = userPoolId
};
await adminAmazonCognitoIdentityProviderClient
.AdminDisableUserAsync(adminDisableUserRequest)
.ConfigureAwait(false);
}
public async Task AdminDeleteUserAsync(
string username,
string userPoolId)
{
AdminDeleteUserRequest deleteUserRequest = new AdminDeleteUserRequest
{
Username = username,
UserPoolId = userPoolId
};
await adminAmazonCognitoIdentityProviderClient
.AdminDeleteUserAsync(deleteUserRequest)
.ConfigureAwait(false);
}
}
【讨论】:
只是为了改进 SOReader 的答案,而不是执行编辑本地凭证文件和使用代码依赖本地配置文件的步骤,您可以通过使用访问密钥 id 和密钥实例化 BasicAWSCredentials 对象来替换此行为访问密钥。构造方法看起来像这样:
public CognitoUserManagement(RegionEndpoint regionEndpoint)
{
adminAmazonCognitoIdentityProviderClient = new AmazonCognitoIdentityProviderClient(
BasicAWSCredentials("access-key", "secret-key"),
regionEndpoint);
anonymousAmazonCognitoIdentityProviderClient = new AmazonCognitoIdentityProviderClient(
new AnonymousAWSCredentials(),
regionEndpoint);
}
【讨论】: