How can one make authenticated requests with AWS Cognito from mobile to AWS services (i.e. CloudSearch)?

浪子不回头ぞ 提交于 2019-12-30 05:16:08

问题


I've read a bunch of AWS documentation in the last day or two, but haven't yet come across anything that really answers the follow:

If a mobile app is using AWS Cognito as the Authentication / Identity provider, I know that we can write AWS IAM policies that specify what AWS resources and actions a user can take. There are a brief few examples of policies that allow users to upload files to S3 directly, but only into "folders" named with their user identity. There is plenty of mention of being able to use policies to control access to all sorts of AWS resources, including CloudSearch.

My primary question is: how are requests made from the mobile client to the AWS services such that they have the user context (token or w/e) necessary for those policies to work? It's possible that the AWS mobile SDKs help with this, but in that case, how are requests then made to resources that are not included in the AWS mobile SDKs (like CloudSearch)? CloudSearch querying exposes itself over a REST Api, so how would the mobile client provide the user context in that case, necessary for the policies to work?


回答1:


Requests to AWS APIs are are authenticated via credentials. For almost all services, this authentication occurs via signature version 4, which uses an HMAC of the payload of the request signed with the access secret key portion of the credential.

For credentials that are vended as part of the Amazon Cognito authflow, a sessionKey is also included that has contextual information about the user that logged in. When the policies associated with those credentials are evaluated, variables can be replaced with these contextual values (e.g. cognito-identity.amazonaws.com:sub for the identity id) to determine if the credentials have the specified access.



来源:https://stackoverflow.com/questions/28479138/how-can-one-make-authenticated-requests-with-aws-cognito-from-mobile-to-aws-serv

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!