更新时间:2023-12-03 10:21:28
你的问题暴露某些术语问题:
Your question exposes certain terminology problems:
3种使用Cognito的方法
你必须明白有3种不同的接口apis。
You must understand that there are 3 different interface apis.
关于身份和登录/身份验证(此问题的主题),aws-mobile-hub-helper(以下简称MHH)有一个优雅的设计,效果很好。我建议使用Cognito的任何人从Mobile Hub站点开始(或者至少使用aws-mobile-hub-helper)。 MHH基本上是SDK的包装器,有助于澄清和分离 的问题 持久联合身份和AWS服务的凭据/授权 的问题身份,身份验证和该身份的属性/声明 。
With respect to Identity and SignIn/Authentication (the topics of this question) aws-mobile-hub-helper (hereafter MHH) has an elegant design and works well. I would recommend anyone using Cognito start with the Mobile Hub site (or at least with aws-mobile-hub-helper). The MHH is basically a wrapper to the SDK and helps clarify and separate the issues of persistent federated identity and credentials/authorization for AWS services from issues of Identity, authentication and attributes/claims for that Identity.
mobile-hub-helper仅记录在。 h文件。这些可以通过appledocs处理成文档,如果您对类结构有一个概述(不存在,但我会尝试提供),那么那里的注释非常好。
The mobile-hub-helper is documented only in the .h files. These can be processed into documentation by appledocs, and the comments there are pretty good if you had an overview of the class structure (which does not exist but I will attempt to provide).
SDK身份验证流程
AWS记录的身份验证流程过于简单化,无助于了解如何使用身份验证完成身份验证SDK和Mobile Hub Helper。下图试图说明使用AWS服务(如S3和DynamoDB)的身份验证(登录)和授权(凭证)如何工作。
The authentication flow documented by AWS, is an oversimplification and does not aid in understanding how the authentication is accomplished using the SDK and Mobile Hub Helper. The following diagrams attempt to convey how identity authentication(login) and authorization(credentials) to use AWS Services (like S3, and DynamoDB) works.
了解Cognito
Cognito Naming
Cognito是AWS创建的单一名称,涵盖许多功能
和角色。
Cognito is a single name created by AWS to cover many functionalities and roles.
SDK类名称令人困惑。但除少数例外情况外,以 AWSCognitoIdentity (但不是AWSCognitoIdentityProvider)开头的类与credentialsProvider / IdentityProvider有关,以 AWSCognitoIdentityProvider 开头的类与Oauth / Open Id Connect提供商和其他分布式提供商有关。身份提供者(facebook)。
SDK class names are confusing. But with few exceptions, classes starting with AWSCognitoIdentity (but NOT AWSCognitoIdentityProvider) are about the credentialsProvider/IdentityProvider, classes starting with AWSCognitoIdentityProvider relate to Oauth/Open Id Connect providers and other distributed identity providers (facebook).
词汇表/同义词
这些术语在整个AWS文档和营销材料中使用得很松散。这是尝试通过对AWS可互换使用的术语进行分组来理清术语。
These terms are used loosely throughout the AWS documentation and marketing material. This is an attempt to sort out the terminology by grouping terms that are used interchangeably by AWS.
IdentityId行为
当用户进行身份验证时,身份验证会禁用未经身份验证的identityId(
identityId将永久使用在
identityPool条目的Logins数组中标记为DISABLED。您可以在Cognito控制台中看到这一点。)当前在设备上的
。有一个例外:如果这是第一次对此身份进行
身份验证,则未放弃未经身份验证的identityId,但
与身份相关联,并用作经过身份验证的
身份ID转发。
When the user authenticates, authenticating disables the unauthenticated identityId (the identityId will be permanently marked with DISABLED in the Logins array in the identityPool entry. You can see this in the Cognito console.) that is currently on the device. There is one exception: If this is the first time the authentication takes place for this Identity then the unauthenticated identityId is not abandoned but is associated with the Identity and used as the authenticated identityID going forward.
从
合并多个身份(意味着用户名不是IdentityId)不同的身份提供者放弃(禁用)其中一个identityId和
将Identities与另一个identityId相关联。已禁用
只要发生这种情况,就会创建Id。这些被遗弃的identityId在
的signin数组中标记为DISABLED,即cognito identityPool。
Merging multiple Identities (meaning usernames not IdentityId’s) from different Identity providers abandons (disables) one of the identityId's, and associates both Identities with the other identityId. Disabled Id’s get created whenever this happens. These abandoned identityId's are marked with DISABLED in the Logins array in the cognito identityPool.
在实践中,此过程创建了对唯一identityIds的合理使用
禁用的只有当用户在新的
设备上进行身份验证时才会创建(在测试中可能很麻烦,因为它会导致
禁用和未使用的identityId,因为测试人员注销并且在$中b $ b多次使用多个id)。但在实践中,常见用例不会创建这种禁用的identityIds。用户将:
In practice this process creates a reasonable use of unique identityIds with disabled ones only getting created when a user authenticates on a new device (It can be bothersome in testing as it creates a barrage of disabled and unused identityId’s as the tester logs out and in multiple times with multiple id’s). But in practice the common use case would not create this barrage of disabled identityIds. A user would:
Connect - 获取未经身份验证的ID - 身份验证 - 并使用相同的
ID。没有创建遗弃的ID。
Connect – get an unauthenticated id - authenticate – and use the same ID. No abandoned id is created.
AWSIdentityProviderManager
AWSIdentityProviderManager是管理联合AWSIdentityProviders的协议
AWSIdentityProviderManager is the protocol that manages federated AWSIdentityProviders
在mobile-hub-helper中AWSIdentityManager是AWSIdentityProviderManager
In mobile-hub-helper AWSIdentityManager is the AWSIdentityProviderManager
所有需要做的就是返回凭证提供者登录
字典,包含提供者名称和ID令牌。 AWSIdentityManager
仅返回单个标识
提供程序的提供程序名称和标记。它只是从
AWSSignInProvider获取名称和令牌并返回。 (有一个分叉,修改了
,增加了返回登录词典中所有当前登录的
提供程序。)
All it needs to do is return to credentials provider a logins dictionary, with providers name and ID Token. AWSIdentityManager only returns the providername and token for a single identity provider. It simply gets the name and token from the AWSSignInProvider and returns. (There is a fork with a modification that adds the ability to return all of the current logged in providers in the logins dictionary.)
修改后的AWSIdentityManager维护一个名为cachedLogins的NSDictionary
。每个新登录都会向缓存添加一个登录名(身份
提供程序名称和id标记)。然后登录始终返回
整个loginCache。这是支持身份合并的原因。
As modified AWSIdentityManager maintains an NSDictionary called cachedLogins. Each new login adds an login (an identity provider name and id token) to the cache. Then logins always returns the whole loginCache. This is what supports identity merging.
当凭据提供程序调用它关联的
AWSIdentityProviderManager登录时方法,并找到一个
登录列表,而不只是一个它将在其数据库中合并那些登录
的identityId并禁用其中一个的identityId。
如何知道哪个ID与哪个登录有关? ID令牌包含
编码的可解密(将令牌粘贴到 https://jwt.io 中以查看
你自己)一套索赔,其中一个是身份(例如:用户名)
When the credentials provider calls it’s associated AWSIdentityProviderManager logins method, and finds a list of logins instead of just one it will merge the identityId's for those logins in it’s database and disable the identityId of one of them. How does it know which ID goes with which login? The ID Token contains an encoded decryptable (paste the token into https://jwt.io to see for yourself) set of claims, one of which is the identity (ex: username)
注意:即使你有一个有多个相关的identityId登录,在Mobile Hub Helper中,您只能通过一个AWSSignInProvider进行身份验证。凭据与合并的identityId相关联,但在mobile-hub-helper中,即使您使用多个身份提供程序登录,也始终通过活动的AWSSignInProvider(身份验证提供程序)访问该identityId。您的应用程序可以跟踪所有AWSSignInProviders并独立于AWSIdentityManager访问它们,但从AWSIdentityManagers的角度来看,您使用其中一个登录。在实践中,这几乎没有什么影响(例如,你试图从不同的提供者那里获得像imageURL这样的声明)。
Note: Even though you have an identityId that has multiple related logins, in Mobile Hub Helper you are only ever authenticated by one AWSSignInProvider. Credentials get associated with the merged identityId, but in mobile-hub-helper access to that identityId is always via the active AWSSignInProvider (authentication provider) even if you are logged with multiple identity providers. Your app can keep track of all of the AWSSignInProviders and access them independently of AWSIdentityManager, but from AWSIdentityManagers point of view you are logged in with one of them. In practice this has little impact (until you try to get "claims" like imageURL from different providers for instance).
关于合并身份
目前,AWSIdentityManager不支持身份合并。我有一个分叉存储库https://github.com/BruceBuckland/aws-mobilehub-helper- ios 来自添加该功能的github存储库,并添加了Cognito用户池标识提供程序AWSSignInProvider(AWSCUPIdPSignInProvider.swift)。
Currently the AWSIdentityManager does not support identity merging. I have a forked repository https://github.com/BruceBuckland/aws-mobilehub-helper-ios from the github repository that adds that capability, and adds a Cognito User Pools Identity Provider AWSSignInProvider (AWSCUPIdPSignInProvider.swift).
在合并
身份时,你可能会想到各种各样的问题。
You can probably think of all sorts of gotcha’s when merging identities.
如果我尝试合并来自同一个提供商的两个身份怎么办?
(字典键不一样吗?)
What if I try to merge two identities from the same provider (wouldn’t the dictionary keys be the same?)
什么如果我尝试合并两个身份,每个身份都与来自与之关联的同一提供者具有不同的
身份(同样,他们
会创建两个具有相同密钥的实体)。
What if I try to merge two identities, each of which has a different identity from the same provider associated with it (and again they would create two entities with the same keys).
Cognito很好地管理这个并且拒绝尝试合并无法合并的
身份。拒绝发生在登录时间
(当您尝试获取凭据时,凭据提供程序将
拒绝包含不可合并的
identityId的登录词典)
Cognito manages this beautifully and rejects attempts to merge
identites that cannot be merged. The rejection happens at login time
(when you would try get credentials, the credentials provider will
reject the logins dictionary that contains an un-mergeable
identityId)
Cognito埋葬数据的地方
Cognito将密钥链存储在包含最后使用的identityId的设备上。在调用credentialsProvider.credentials(IOS SDK名称)时,credentialsProvider / identityProvider对象使用它来重新使用现有标识(例如未经身份验证)并避免创建未使用的标识,除非用户确实不打算登录或恢复。
Cognito stores a keychain on the device that contains the last identityId that was used. This is used by the credentialsProvider/identityProvider object upon a call to credentialsProvider.credentials (IOS SDK name) to re-use an existing identity (for example unauthenticated) and avoid creating unused identities unless the user truly is not going to log in or resume.
Mobile-Hub-Helper的AWSSignInProvider和AWSIdentityManager存储NSUserDefaults中打开会话状态的指示。如果应用程序终止并重新启动,这些用于重新启动会话。
Mobile-Hub-Helper’s AWSSignInProvider’s and AWSIdentityManager store an indication of an open session state in NSUserDefaults. These are used to re-start the session if the app is terminated and restarted.
AWSSignInProvider的商店NSUserDefaults,有时也在IOS Keychain,为他们自己内部目的(如保留对用户名或imageURL或令牌的轻松持久访问)
AWSSignInProvider’s store NSUserDefaults too, and sometimes in the IOS Keychain, for their own internal purposes (like retaining easy persistent access to a username or imageURL or token)