AWS:如何针对Cognito Pool正确authentication用户并将其用于Cognito联合身份authentication?
我正在使用两个身份validation提供程序的应用程序:
- Facebook的
- Cognito用户池
与前者,我没有问题,一切都按预期工作。 但是,在使用Cognito用户池设置身份validation的同时,我又一次碰到了一面墙。 我正在使用AWS SDK 2.4.9,XCode 8和Swift 3。
我知道有很多问题已经被提出,并且有很多“指南”在那里。 但是,他们中的很多人都回答了过时的文档和SDK。 即使官方的AWS文档已经过期。
我正在经历的authentication步骤如下:
1.configuration初始认知池
/// Set the default service configuration let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: nil) AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration /// Create a pool configuration and register it for a specific key to use later let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: appClientID, clientSecret: appClientSecret, poolId: poolID) AWSCognitoIdentityUserPool.registerCognitoIdentityUserPool(with: poolConfiguration, forKey: poolKey) /// Create a pool for a specific predefined key pool = AWSCognitoIdentityUserPool(forKey: poolKey) 2.根据Cognito用户池对用户进行身份validation
user.getSession(username, password: password, validationData: nil).continue({ (task) -> AnyObject? in if let error = task.error as? NSError { completionHandler(error) return nil } let session = task.result! as AWSCognitoIdentityUserSession let token = session.idToken!.tokenString let tokens : [NSString:NSString] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolID!)" as NSString : token as NSString] let identityProvider = CognitoPoolIdentityProvider(tokens: tokens) let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .usEast1, identityPoolId: self.identityPoolID, identityProviderManager: identityProvider) /// Set the default service configuration let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: credentialsProvider) AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration credentialsProvider.getIdentityId().continue({ (task) -> AnyObject? in completionHandler(task.error as NSError?) return nil }) return nil })
3. CognitoPoolIdentityProvider类
class CognitoPoolIdentityProvider : NSObject, AWSIdentityProviderManager { var tokens : NSDictionary = [:] init(tokens: [NSString : NSString]) { self.tokens = tokens as NSDictionary } @objc func logins() -> AWSTask<NSDictionary> { return AWSTask(result: tokens) } }
4.将数据存储到Cognito联合身份
所有这些通过没有任何错误。 但是,现在我想将从Cognito Pool中提取的数据存储到特定的Cognito联合身份数据集中,因此我正在调用: userProfile.synchronize().continue并且得到以下结果:
getCredentialsWithCognito:authenticated:customRoleArn:] _ block_invoke | GetCredentialsForIdentity失败。 错误是[错误域= com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8“(空)”UserInfo = {__ type = NotAuthorizedException,消息=访问身份'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'被禁止}]
2016-11-10 10:27:16.947365 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误] AWSIdentityProvider.m line:304 | __52- [AWSCognitoCredentialsProviderHelper getIdentityId] _block_invoke.255 | GetId失败。 错误是[错误域= com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8“(空)”UserInfo = {__types= NotAuthorizedException,消息=未经身份validation的访问不支持此身份池。 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]
AWSCredentialsProvider.m行:577 | __44- [AWSCognitoCredentialsProvider凭证] _block_invoke.352 | 无法刷新。 错误是[错误域= com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8“(空)”UserInfo = {__ type = NotAuthorizedException,消息=未经身份validation的访问不支持这个身份池。 xxxxxxxx [19867:5614838] AWSiOSSDK v2.4.11 [错误]
AWSCognitoDataset.m行:352 | __30- [AWSCognitoDataset syncPull:] _ block_invoke | 无法列出logging:错误域= com.amazonaws.AWSCognitoIdentityErrorDomain代码= 8“(空)”UserInfo = {__types= NotAuthorizedException,消息=未经身份validation的访问不支持此身份池[10:27:16]:saveSettings AWS任务错误:操作无法完成。 (com.amazonaws.AWSCognitoIdentityErrorDomain错误8.)
更改日志级别后,我可以看到以下内容:
//请求
2016-11-10 10:33:08.095735 xxxxxxxx [19874:5616142] AWSiOSSDK v2.4.11 [debugging] AWSURLSessionManager.m line:543 | – [AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] | 请求正文:{“IdentityId”:“us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx”}
//响应
2016-11-10 10:33:08.714268 xxxxxxxx [19874:5616154] AWSiOSSDK v2.4.11 [debugging] AWSURLSessionManager.m line:553 | – [AWSURLSessionManager printHTTPHeadersForResponse:] | 响应标题:{连接=“保持活着”; “Content-Length”= 129; “Content-Type”=“application / x-amz-json-1.1”; date=“星期四,10十一月2016 09:33:08 GMT”; “x-amzn-ErrorMessage”=“禁止访问身份”us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx“。 “x-amzn-ErrorType”=“NotAuthorizedException:”; “x-amzn-RequestId”=“b0ac6fb0-a728-11e6-8413-1fdb846185bb”; }
上面的请求是GetID API调用。 显然,它与AWS Docs中的请求格式不匹配: http : //docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html 。
根据AWSServiceManager类,我们有这样的:
/** The default service configuration object. This property can be set only once, and any subsequent setters are ignored. */ @property (nonatomic, copy) AWSServiceConfiguration *defaultServiceConfiguration;
这意味着设置新的服务configuration是毫无意义的,但是我看不到任何其他方式来刷新我通过Cognito用户池身份validation获得的凭据。
这是非常多的。 有任何想法吗?
谢谢
从你得到的错误看来
Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden
您在第一部分中获得的凭据无法访问您进行同步呼叫的身份,因此您的身份可能已更改。