我创建了一个使用电子邮件地址 ($context.identity.claims.email) 的解析器。我在 AWS 控制台“查询”部分测试了我的查询,一切正常,因为 $context.identity.claims 看起来符合预期;
{
sub: 'xxx-xxx-xxx-xxx-xxx',
aud: 'xxxxxxxxx',
email_verified: true,
sub: 'xxx-xxx-xxx-xxx-xxx',
token_use: 'id',
auth_time: 1563643503,
iss: 'https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_xxxxx',
'cognito:username': 'xxxx',
exp: 1563647103,
iat: 1563643503,
email: 'xxx@xxx.xxx'
}
一切看起来都不错,所以让我们在使用 AWS Amplify 代码进行身份验证的 React 应用程序中使用它。它现在不起作用,那是因为 claim 部分没有“电子邮件”!它看起来像这样;
{
sub: 'xxx-xxx-xxx-xxx-xxx',
event_id: 'xxx-xxx-xxx-xxx-xxx',
token_use: 'access',
scope: 'aws.cognito.signin.user.admin',
auth_time: 1563643209,
iss: 'https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_xxxx',
exp: 1563646809,
iat: 1563643209,
jti: 'xxx-xxx-xxx-xxx-xxx',
client_id: 'xxxx',
username: 'xxxx'
}
任何人都可以帮助我了解为什么电子邮件显示在 AWS 控制台查询中,但在我从自己的客户端调用时却没有?
最佳答案
通过传入一个函数,Amplify 可以配置为包含每个 graphql 请求的当前 ID Token。两个配置选项如下所示:
import { Auth } from 'aws-amplify';
const getIdToken = async () => ({
Authorization: (await Auth.currentSession()).getIdToken().getJwtToken()
});
const aws_exports = {
aws_appsync_graphqlEndpoint: 'https://****.appsync-api.us-east-2.amazonaws.com/graphql',
aws_appsync_region: 'us-east-2',
aws_appsync_authenticationType: 'AMAZON_COGNITO_USER_POOLS',
// OPTION 1
graphql_headers: getIdToken,
// OPTION 2
// API: {
// graphql_headers: getIdToken
// },
Auth: {
identityPoolId: 'us-east-2:********-****-****-****-************',
region: 'us-east-2',
userPoolId: 'us-east-2_*********',
userPoolWebClientId: '*************************',
type: 'AMAZON_COGNITO_USER_POOLS'
}
};
export default aws_exports;
Amplify.configure(awsconfig);
请注意 Access 和 ID token 之间解析器可用的不同声明。
访问 token 将提供
client_id 、 jti 和 scope 等声明,而 ID token 声明提供 email 、 phone_number 等,以及 aud 、 cognito:roles 和 cognito:username 等其他 token 。访问 token
{
"claims": {
"auth_time": 1581438574,
"client_id": "*************************",
"cognito:groups": [
"Admin"
],
"event_id": "ec70594c-b02b-4015-ad0b-3c207a18a362",
"exp": 1581442175,
"iat": 1581438575,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_*********",
"jti": "351d2d5f-13c3-4de8-ba7c-b3c5a9e46ca6",
"scope": "aws.cognito.signin.user.admin",
"sub": "********-****-****-****-************",
"token_use": "access",
"username": "********-****-****-****-************"
},
...
}
ID token
{
"claims": {
"address": {
"formatted": "1984 Newspeak Dr"
},
"aud": "....",
"auth_time": 1581438671,
"birthdate": "1984-04-04",
"cognito:groups": [
"Admin"
],
"cognito:roles": [
"arn:aws:iam::012345678901:role/us-east-2-ConsumerRole"
],
"cognito:username": "********-****-****-****-************",
"email": "winston.smith@oceania.gov",
"email_verified": true,
"event_id": "e3087488-bfc8-4d08-a44c-089c4ae7d8ec",
"exp": 1581442271,
"gender": "Male",
"iat": 1581438672,
"iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_*********",
"name": "WINSTON SMITH",
"phone_number": "+15551111984",
"phone_number_verified": false,
"sub": "********-****-****-****-************",
"token_use": "id"
},
...
}
用
amplify-js@2.2.4 测试资料来源:https://github.com/aws-amplify/amplify-js/blob/aws-amplify%402.2.4/packages/api/src/API.ts#L86-L107
关于amazon-cognito - Appsync Resolver 中没有电子邮件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57127211/