问题
I am building an HTTP API in java that uses AWS cognito, and developer authenticated identities to provide tokens to secure the API. I have configured the login system to issue a cognito token when a user logs in and the cognito identity pool contains each user and a developer identity associated with my backend, but I am having a very difficult time finding a straightforward way to retrieve a users specific developer identifier from the cognito token. I have attempted to use the AssumeRoleWithWebIdentityResult API call, but have been unable to find documentation about it for determining the developer identifier, only examples for obtaining temporary AWS credentials.
回答1:
Once you have temporary AWS credentials, when you call the backend, you can access to the cognito identifier of the caller in the context. Then you can retrieve the developer identifier using lookupDeveloperIdentity on the server side.
Check theses pages to retrieve the context data if you are using API gateway or Lambda
回答2:
In the token returned by GetOpenIdTokenForDeveloperIdentity, the unique identifier that you gave the user is in the "amr" field. So you will need to crack open the token to get it.
EDIT: As Alexis N-o pointed out, you can look up the developer identity with the Cognito Identity ID:
http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_LookupDeveloperIdentity.html
来源:https://stackoverflow.com/questions/34644083/aws-cognito-for-api-token-authentication