问题
I have a working iOS app using AWS Cognito AWSMobileClient where users can sign in and log in/out with AWSAuthUI.
What I want to do next is: having a sub from another user (e.g. 7y873ff7-.....u9h4k) I would like to get the information from that other user.
After searching the net it seems that I need to use something called ListUsers, but I am not 100% confident. Can anyone confirm this and give me some tip about how I need to go to get done what I want? Knowing that I am working in Swift.
...... Later updating of the post .......
Following examples I have found on the net; here is some code I have put together as a trial to start with.
let getUsersRequest = AWSCognitoIdentityProviderListUsersRequest()
getUsersRequest?.attributesToGet = ["email"]
getUsersRequest?.userPoolId = "MY-POOL-ID"
getUsersRequest?.filter = "sub = \"SOME-USER-SUB\""
AWSCognitoIdentityProvider(forKey: "MY-POOL-ID").listUsers(getUsersRequest!,completionHandler: {
(response, error) in
print("OK, Here we are!")
})
But I never see the message: OK, Here we are!
So I must be doing something wrong. Of course MY-POOL-ID and SOME-USER-SUB are real data that I take from my AWS console.
回答1:
You would use the ListUsers API, indeed.
Here is its documentation for AWS iOS SDK. One of the filters you can apply is for "sub".
The user calling ListUsers must have a role assigned that will grant it access to that API. Have a look at this AWS blog post for an example in JS.
However, you can't allow everyone to list all users in the pool, that would be a huge security hole. Permissions to list all users should be reserved to application administrators, and only if needed. Instead, what you can do is set up a Lambda function on AWS, called through API Gateway. The function would take the sdb as input and would return the email address. The role attached to that function would give it access to call ListUsers for your pool. That would limit the amount of information your users can get about others, but your Lambda should still run checks to make sure it's not abused. For example, if user X wants to get the email address of user Y, user Y should approve that in advance.
I don't know your use case, but in general, allowing anyone to get information about any user of your app should be done with care. Any interaction between users should be transparent to them and agreed to. Keep in mind that users can log in to Cognito from outside your application if they can find the app ID and secret token. When giving a user access to anything, think about how it can be misused. You might realize that you should rethink how you approach the problem.
来源:https://stackoverflow.com/questions/56416551/aws-cognito-getting-user-information-from-the-sub