當(dāng)前位置：首頁(yè) > 编程资源 > 编程问答 >内容正文

编程问答

aws cognito_使用AWS Cognito的用户管理—（1/3）初始设置

發(fā)布時(shí)間：2023/11/29 编程问答 25 豆豆

生活随笔收集整理的這篇文章主要介紹了 aws cognito_使用AWS Cognito的用户管理—（1/3）初始设置小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

aws cognito

by Kangze Huang

黃康澤

使用AWS Cognito的用戶管理—(1/3)初始設(shè)置 (User Management with AWS Cognito — (1/3) Initial Setup)

完整的AWS Web樣板-教程1A (The Complete AWS Web Boilerplate — Tutorial 1A)

Main Table of Contents Click Here

主要目錄請(qǐng)點(diǎn)擊這里

Part A: Initial Setup

A部分： 初始設(shè)置

Part B: The Core Functionality

B部分： 核心功能

Part C: Last Steps to Full Fledged

C部分： 全面完成的最后步驟

Download the Github here.

在此處下載Github。

介紹 (Introduction)

Setting up user authentication can take ages, but it is an essential cornerstone of any production app. There are options out there such as AuthO and PassportJS, but they either have hard learning curves, require continual maintenance, or are vulnerable to programmer errors as they require self-setup. If only there was a hands-off, customizable, secure and highly scalable user management service on the cloud.

設(shè)置用戶身份驗(yàn)證可能會(huì)花費(fèi)很多時(shí)間，但這是任何生產(chǎn)應(yīng)用程序必不可少的基石。那里有諸如AuthO和PassportJS之類(lèi)的選項(xiàng)，但是它們要么學(xué)習(xí)難度大，需要不斷維護(hù)，要么由于需要自我設(shè)置而容易受到程序員錯(cuò)誤的影響。如果只有手動(dòng)操作，可定制的，安全的和高度可擴(kuò)展的云上用戶管理服務(wù)。

Introducing Amazon Cognito and Federated Identities. Cognito is the AWS solution for managing user profiles, and Federated Identities help keep track of your users across multiple logins. Integrated into the AWS ecosystem, AWS Cognito opens up a world of possibility for advanced front end development as Cognito+IAM roles give you selective secure access to other AWS services. Want to only allow S3 Bucket access to specific signed on users? Simply connect a Cognito login with an IAM role allowed access to the bucket, and now your bucket is secure! Best of all, the free tier gives you 50,000 monthly active users so you won’t have to worry about paying more until you’re ready to boom.

介紹Amazon Cognito和聯(lián)合身份。 Cognito是用于管理用戶配置文件的AWS解決方案，而聯(lián)合身份可幫助您跟蹤多次登錄中的用戶。集成到AWS生態(tài)系統(tǒng)中的AWS Cognito為高級(jí)前端開(kāi)發(fā)打開(kāi)了無(wú)限可能，因?yàn)镃ognito + IAM角色使您可以選擇性地安全訪問(wèn)其他AWS服務(wù)。是否只允許S3存儲(chǔ)桶訪問(wèn)特定的已登錄用戶？只需將Cognito登錄名與允許訪問(wèn)存儲(chǔ)桶的IAM角色連接起來(lái)，即可安全保護(hù)您的存儲(chǔ)桶！最重要的是，免費(fèi)套餐可為您提供50,000個(gè)每月的活躍用戶，因此您無(wú)需擔(dān)心要支付更多的費(fèi)用，直到您準(zhǔn)備繁榮之前。

This boilerplate is a React-Redux web app that has the full features of AWS Cognito and Federated Identities pre-integrated. Use this boilerplate if you have an app that you want developed with a production-ready authentication service from the very beginning. Indeed this is a powerful launchpad for your next great idea.

該樣板是一個(gè)React-Redux Web應(yīng)用程序，具有預(yù)先集成的AWS Cognito和聯(lián)合身份的全部功能。如果您有從一開(kāi)始就想要使用生產(chǎn)就緒認(rèn)證服務(wù)開(kāi)發(fā)的應(yīng)用程序，請(qǐng)使用此樣板。確實(shí)，這是您下一個(gè)好主意的強(qiáng)大啟動(dòng)板。

Go to AWS Cognito on the AWS console to get started!

在AWS控制臺(tái)上轉(zhuǎn)到AWS Cognito入門(mén)！

初始設(shè)置-Cognito (Initial Setup — Cognito)

We will be setting up AWS Cognito, which is a custom login pool (such as login with email). Cognito IS NOT a login manager for any type of login (such as Facebook and Gmail), only for custom logins.

我們將設(shè)置AWS Cognito，這是一個(gè)自定義登錄池(例如，使用電子郵件登錄)。 Cognito并非任何類(lèi)型的登錄名(例如Facebook和Gmail)的登錄管理器，僅適用于自定義登錄名。

Let’s first make a user pool by clicking on “Manage your User Pools”. A user pool is a group of users that fulfill the same designation. If you were making an Uber clone, you would make 2 user pools — one for drivers and one for riders. For now, let just make 1 new user pool called “App_Users”. The setup screen should look like this:

首先，通過(guò)單擊“管理您的用戶池”來(lái)建立用戶池。用戶池是一組具有相同名稱的用戶。如果要制作Uber克隆，則將創(chuàng)建2個(gè)用戶池-一個(gè)用于駕駛員，一個(gè)用于騎手。現(xiàn)在，讓我們新建一個(gè)名為“ App_Users”的用戶池。設(shè)置屏幕應(yīng)如下所示：

We’re gonna walk through this process step by step, so enter the Pool name of “App_Users” and click “Step through settings”. The next step is “Attributes”, where we define the attributes that our “App_Users” will have.

我們將逐步完成此過(guò)程，因此輸入“ App_Users”的池名稱，然后單擊“逐步設(shè)置”。下一步是“屬性”，我們?cè)谄渲卸x“ App_Users”將具有的屬性。

We now, we only want to have an email, password and “agentName”. The email is our unique identifier for a user and the password is a mandatory field (which is why you don’t see it in the list of standard attributes). We want users to be able to have a codename to go by, so let’s set up “agentName” is a custom attribute. We are only using “agentName” to show how to add custom attributes. Scroll down and you will see the option to add custom attributes.

現(xiàn)在，我們只想要一個(gè)電子郵件，密碼和“ agentName”。電子郵件是我們?yōu)橛脩籼峁┑奈ㄒ粯?biāo)識(shí)符，而密碼是必填字段(這就是為什么您在標(biāo)準(zhǔn)屬性列表中看不到它的原因)。我們希望用戶能夠擁有一個(gè)代號(hào)，因此我們將“ agentName”設(shè)置為一個(gè)自定義屬性。我們僅使用“ agentName”來(lái)顯示如何添加自定義屬性。向下滾動(dòng)，您將看到添加自定義屬性的選項(xiàng)。

As of the date this tutorial was written, you cannot go back and change the custom attributes (even though AWS appears to be able to), so be sure to get this right the first time! If you need to change attributes, you will have to create a new user pool. Hopefully AWS fixes this issue soon. Anyways, moving on to account policies!

從撰寫(xiě)本教程之日起，您無(wú)法返回并更改自定義屬性(即使AWS似乎可以更改)，因此請(qǐng)確保第一次正確！如果需要更改屬性，則必須創(chuàng)建一個(gè)新的用戶池。希望AWS可以盡快解決此問(wèn)題。無(wú)論如何，請(qǐng)繼續(xù)使用帳戶政策！

So we can see here that our passwords can be enforced to require certain characters. Obviously requiring a mix of various character types would be more secure, but users often don’t like that. For a middle ground, lets just require the password to be 8+ characters in length, and include at least 1 number. We also want users to be able to sign themselves up. The other parts are not so important, so let’s move onto the next step: verifications.

因此，我們?cè)谶@里可以看到我們的密碼可以強(qiáng)制使用某些字符。顯然，要求將各種字符類(lèi)型混合使用會(huì)更安全，但用戶通常不喜歡這樣。作為中間立場(chǎng)，讓我們只要求密碼的長(zhǎng)度為8個(gè)以上字符，并至少包含1個(gè)數(shù)字即可。我們還希望用戶能夠注冊(cè)自己。其他部分并不那么重要，因此讓我們繼續(xù)下一步：驗(yàn)證。

This part is cool, we can easily integrate multi-factor authentication (MFA). This means users must sign up with an email as well as another form of authentication such as a phone number. A PIN would be sent to that phone number and the user would use it to verify their account. We won’t be using MFA in this tutorial, just email verification. Set MFA to “off” and check only “Email” as a verification method. We can leave the “AppUsers-SMS-Role” (IAM role) that has been filled in, as we won’t be using it but may use it in the future. Cognito uses that IAM role to be authorized to send SMS text messages used in MFA. Since we’re not using MFA, we can move on to: Message Customizations.

這部分很酷，我們可以輕松地集成多因素身份驗(yàn)證(MFA)。這意味著用戶必須使用電子郵件以及其他形式的身份驗(yàn)證(例如電話號(hào)碼)進(jìn)行注冊(cè)。 PIN將發(fā)送到該電話號(hào)碼，用戶將使用它來(lái)驗(yàn)證其帳戶。在本教程中，我們將僅使用電子郵件驗(yàn)證來(lái)使用MFA。將MFA設(shè)置為“關(guān)閉”，并僅選中“電子郵件”作為驗(yàn)證方法。我們可以保留已填寫(xiě)的“ AppUsers-SMS-Role”(IAM角色)，因?yàn)槲覀儾粫?huì)使用它，但將來(lái)可能會(huì)使用它。 Cognito使用該IAM角色來(lái)授權(quán)發(fā)送MFA中使用的SMS文本消息。由于我們不使用MFA，因此我們可以繼續(xù)進(jìn)行以下操作：消息自定義。

When users receive their account verification emails, we can specify what goes into that email. Here we have made a custom email and programmatically placed in the verification PIN represented as {####}. Unfortunately we can’t pass in other variables such as a verification link. To accomplish this, we would have to use a combination of AWS Lambda and AWS SES.

當(dāng)用戶收到帳戶驗(yàn)證電子郵件時(shí)，我們可以指定該電子郵件中包含的內(nèi)容。在這里，我們制作了一封自定義電子郵件，并以編程方式將其放置在表示為{####}的驗(yàn)證PIN中。不幸的是，我們無(wú)法傳入其他變量，例如驗(yàn)證鏈接。為此，我們必須結(jié)合使用AWS Lambda和AWS SES。

Scroll down the page in the Message Customizations step and we can add our own default FROM and REPLY-TO addresses. In order to do this, we need to verify an email in AWS SES, which is easy and super quick to set up. In a new tab, go to the AWS console homepage by clicking the orange cube at the top left hand. In the console homepage, search for SES (Simple Email Service). Click to go to the SES page, then click the Email Addresses link on the left menu.

在“消息自定義”步驟中向下滾動(dòng)頁(yè)面，我們可以添加我們自己的默認(rèn)FROM和REPLY-TO地址。為此，我們需要在AWS SES中驗(yàn)證電子郵件，該電子郵件的設(shè)置非常容易且非?？旖荨?在新選項(xiàng)卡中，通過(guò)單擊左上角的橙色多維數(shù)據(jù)集轉(zhuǎn)到AWS控制臺(tái)主頁(yè)。在控制臺(tái)主頁(yè)中，搜索SES(簡(jiǎn)單電子郵件服務(wù))。單擊以轉(zhuǎn)到SES頁(yè)面，然后單擊左側(cè)菜單上的“電子郵件地址”鏈接。

Next click “Verify a New Address”, and enter the email you would like to verify.

接下來(lái)單擊“驗(yàn)證新地址”，然后輸入要驗(yàn)證的電子郵件。

Now login to your email and open the email from AWS. Click the link inside the email to verify, and you will be redirected to the AWS SES page again. You have successfully verified an email! That was easy.

現(xiàn)在登錄到您的電子郵件，然后從AWS打開(kāi)電子郵件。單擊電子郵件中的鏈接進(jìn)行驗(yàn)證，您將再次被重定向到AWS SES頁(yè)面。您已成功驗(yàn)證電子郵件！那很簡(jiǎn)單。

Now that’s done, let’s return back to AWS Cognito and move on to: Tags.

現(xiàn)在完成了，讓我們回到AWS Cognito并繼續(xù)：標(biāo)簽。

It is not mandatory to add tags to a user pool, but it is definitely useful for managing many AWS services. Let’s just add a tag for ‘AppName’ and set it to a value of ‘MyApp’. We can now move on to: Devices.

將標(biāo)簽添加到用戶池不是強(qiáng)制性的，但是對(duì)于管理許多AWS服務(wù)絕對(duì)有用。讓我們?yōu)椤?AppName”添加一個(gè)標(biāo)記并將其設(shè)置為“ MyApp”的值。現(xiàn)在，我們可以繼續(xù)：設(shè)備。

We can opt to remember our user’s devices. I usually select “Always” because remembering user devices is both free and requires no coding on our part. The information is useful too, so why not? Next step: Apps.

我們可以選擇記住我們用戶的設(shè)備。我通常選擇“始終”，因?yàn)橛涀∮脩粼O(shè)備既免費(fèi)又不需要我們編寫(xiě)任何代碼。這些信息也很有用，為什么不呢？下一步：應(yīng)用程序。

We want certain apps to have access to our user pool. These apps are not present anywhere else on the AWS ecosystem, which means when we create an “app”, it is a Cognito-only identifier. Apps are useful because we can have multiple apps accessing the same user pool (imagine an Uber clone app, and a complimentary Driving Test Practice App). We will set the refresh token to 30 days, which means each login attempt will return a refresh token that we can use for authentication instead of logging in every time. We un-click “Generate Client Secret” because we intend to log into our user pool from the front end instead of back end (ergo, we cannot keep secrets on the front end because that is insecure). Click “Create App” and then “Next Step” to move on to: Triggers.

我們希望某些應(yīng)用有權(quán)訪問(wèn)我們的用戶池。這些應(yīng)用程序在AWS生態(tài)系統(tǒng)上的其他任何地方都沒(méi)有，這意味著當(dāng)我們創(chuàng)建“應(yīng)用程序”時(shí)，它是僅Cognito的標(biāo)識(shí)符。應(yīng)用程序很有用，因?yàn)槲覀兛梢宰尪鄠€(gè)應(yīng)用程序訪問(wèn)同一個(gè)用戶池(想象一個(gè)Uber克隆應(yīng)用程序，以及一個(gè)免費(fèi)的駕駛考試實(shí)踐應(yīng)用程序)。我們會(huì)將刷新令牌設(shè)置為30天，這意味著每次登錄嘗試都會(huì)返回一個(gè)刷新令牌，我們可以將其用于身份驗(yàn)證，而不是每次都登錄。取消單擊“生成客戶端機(jī)密”是因?yàn)槲覀兇蛩銖那岸硕皇呛蠖说卿浀轿覀兊挠脩舫?因此，我們不能在前端保留機(jī)密，因?yàn)檫@是不安全的)。單擊“創(chuàng)建應(yīng)用”，然后單擊“下一步”以繼續(xù)：觸發(fā)器。

We can trigger various actions in the user authentication and setup flow. Remember how we said we can create more complex account verification emails using AWS Lambda and AWS SES? This is where we would set that up. For the scope of this tutorial, we will not be using any AWS Lambda triggers. Let’s move on to the final step: Review.

我們可以在用戶身份驗(yàn)證和設(shè)置流程中觸發(fā)各種操作。還記得我們說(shuō)過(guò)如何使用AWS Lambda和AWS SES創(chuàng)建更復(fù)雜的賬戶驗(yàn)證電子郵件嗎？這是我們要進(jìn)行設(shè)置的地方。在本教程的范圍內(nèi)，我們將不使用任何AWS Lambda觸發(fā)器。讓我們繼續(xù)最后一步：回顧。

Here we review all the setup configurations we have made. If you are sure about this info, click “Create Pool” and our Cognito User Pool will be generated!

在這里，我們回顧所有已完成的設(shè)置配置。如果您確定此信息，請(qǐng)單擊“創(chuàng)建池”，我們的Cognito用戶池將生成！

Take note of the Pool Id us-east-1_6i5p2Fwao in the Pool details tab.

在“池詳細(xì)信息”選項(xiàng)卡中記錄池ID us-east-1_6i5p2Fwao 。

And the App client id 5jr0qvudipsikhk2n1ltcq684b in the Apps tab. We will need both of these in our client side app.

在“應(yīng)用程序”選項(xiàng)卡中，應(yīng)用程序客戶端ID為5jr0qvudipsikhk2n1ltcq684b 。我們將在客戶端應(yīng)用程序中同時(shí)使用這兩個(gè)功能。

Now that Cognito is set up, we can set up Federated Identities for multiple login providers. In this tutorial we do not cover the specifics of FB Login as it is not within in the scope of this tutorial series. However, integrating FB Login is super easy and we will show how it’s done in the below section.

現(xiàn)在已經(jīng)設(shè)置了Cognito，我們可以為多個(gè)登錄提供者設(shè)置聯(lián)合身份。在本教程中，我們不討論FB登錄的細(xì)節(jié)，因?yàn)樗辉诒窘坛滔盗械姆秶畠?nèi)。但是，集成FB登錄非常容易，我們將在下一節(jié)中演示如何完成。

初始設(shè)置-聯(lián)合身份 (Initial Setup — Federated Identities)

Next we want to setup “Federated Identities”. If we have an app that allows multiple login providers (Amazon Cognito, Facebook, Gmail..etc) to the same user, we would use Federated Identities to centralize all these logins. In this tutorial, we will be using both our Amazon Cognito login, as well as a potential Facebook Login. Go to Federated Identities and begin the process to create a new identity pool. Give it an appropriate name.

接下來(lái)，我們要設(shè)置“聯(lián)合身份”。如果我們有一個(gè)應(yīng)用程序允許同一用戶使用多個(gè)登錄提供程序(Amazon Cognito，Facebook，Gmail..etc)，我們將使用聯(lián)合身份集中所有這些登錄。在本教程中，我們將使用我們的Amazon Cognito登錄名以及潛在的Facebook登錄名。轉(zhuǎn)到聯(lián)合身份，然后開(kāi)始創(chuàng)建新身份池的過(guò)程。給它起一個(gè)適當(dāng)?shù)拿帧?

Now expand the “Authentication providers” section and you will see the below screen. Under Cognito, we are going to add the Cognito User Pool that we just created. Copy and paste the User Pool ID and App Client ID that we made note of earlier.

現(xiàn)在，展開(kāi)“身份驗(yàn)證提供程序”部分，您將看到以下屏幕。在Cognito下，我們將添加剛剛創(chuàng)建的Cognito用戶池。復(fù)制并粘貼我們前面提到的用戶池ID和應(yīng)用程序客戶端ID。

And if we wanted Facebook login for the same user identity pool, we can go to the Facebook tab and simply enter our Facebook App ID. That’s all there is to it on the AWS console!

如果我們希望Facebook登錄同一用戶身份池，則可以轉(zhuǎn)到Facebook選項(xiàng)卡，只需輸入我們的Facebook App ID。這就是AWS控制臺(tái)上的全部?jī)?nèi)容！

Save the identity pool and you will be redirected to the below screen where IAM roles are created to represent the Federated Identity Pool. The unauthenticated IAM role is for non-logged in users, and the authenticated version is for logged in users. We can grant these IAM roles permission to access other AWS resources like S3 buckets and such. That is how we achieve greater security by integrating our app throughout the AWS ecosystem. Continue to finish creating this Identity Pool.

保存身份池，您將被重定向到以下屏幕，在該屏幕上創(chuàng)建了IAM角色以表示聯(lián)合身份池。未經(jīng)身份驗(yàn)證的IAM角色適用于未登錄的用戶，已認(rèn)證的版本適用于已登錄的用戶。我們可以授予這些IAM角色訪問(wèn)其他AWS資源(如S3存儲(chǔ)桶等)的權(quán)限。這就是我們通過(guò)在整個(gè)AWS生態(tài)系統(tǒng)中集成我們的應(yīng)用程序來(lái)提高安全性的方式。繼續(xù)完成此身份池的創(chuàng)建。

You should now see the below screen after successfully creating the identity pool. You now only need to make note of 1 thing which is the Identity Pool ID (ie. us-east-1:65bd1e7d-546c-4f8c-b1bc-9e3e571cfaa7) which we will use later in our code. Great!

成功創(chuàng)建身份池后，現(xiàn)在應(yīng)該看到以下屏幕。現(xiàn)在，您只需要記下1個(gè)東西，即身份池ID(即us-east-1:65bd1e7d-546c-4f8c-b1bc-9e3e571cfaa7 )，我們將在以后的代碼中使用它。大！

Exit everything and go back to the AWS Cognito main screen. If we enter the Cognito section or the Federated Identities section, we see that we have the 2 necessary pools set up. AWS Cognito and AWS Federated Identities are ready to go!

退出所有內(nèi)容，然后返回到AWS Cognito主屏幕。如果我們進(jìn)入“認(rèn)知”部分或“聯(lián)合身份”部分，我們將看到已經(jīng)設(shè)置了兩個(gè)必要的池。 AWS Cognito和AWS Federated Identities已準(zhǔn)備就緒！

That’s all for set up! With these 2 pools we can integrate the rest of our code into Amazon’s complete authentication service and achieve top tier user management. That was way easier than custom OAuth+Passport.js! If you like what you’ve seen so far, keep reading! Remember that after you learn this once, it will be super easy in the future, so it is definitely worth the time investment. See you in the next section!

這就是設(shè)置的全部！通過(guò)這兩個(gè)池，我們可以將其余代碼集成到Amazon的完整身份驗(yàn)證服務(wù)中，并實(shí)現(xiàn)頂級(jí)用戶管理。這比自定義OAuth + Passport.js容易得多！如果您喜歡到目前為止所看到的，請(qǐng)繼續(xù)閱讀！請(qǐng)記住，一旦學(xué)習(xí)了這一點(diǎn)，將來(lái)它將變得非常容易，因此絕對(duì)值得花時(shí)間進(jìn)行投資。下一節(jié)見(jiàn)！