AWS：如何針對Cognito Pool正確認證用戶並將其用於Cognito聯合身份認證？

Question

我上的應用程序，它會使用兩個認證提供商合作：

• Facebook的
• Cognito用戶羣

對於前者，我覺得沒有問題，按預期一切正常。但是，在使用Cognito用戶池設置身份驗證的同時，我又一次擊中了一面牆。我正在使用AWS軟件開發工具包2.4.9，XCode 8和Swift 3.

我知道有很多問題已經被問及很多「指南」在那裏。但是，他們中的很多人都回答了過時的文檔和SDK。即使官方AWS文檔已過時。

，我要通過認證步驟如下：

1.配置初始cognito池

/// Set the default service configuration 
let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: nil) 
AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration 

/// Create a pool configuration and register it for a specific key to use later 
let poolConfiguration = AWSCognitoIdentityUserPoolConfiguration(clientId: appClientID, clientSecret: appClientSecret, poolId: poolID) 
AWSCognitoIdentityUserPool.registerCognitoIdentityUserPool(with: poolConfiguration, forKey: poolKey) 

/// Create a pool for a specific predefined key 
pool = AWSCognitoIdentityUserPool(forKey: poolKey) 

2.驗證對Cognito用戶池的用戶

user.getSession(username, password: password, validationData: nil).continue({ (task) -> AnyObject? in 

     if let error = task.error as? NSError { 
      completionHandler(error) 
      return nil 
     } 

     let session = task.result! as AWSCognitoIdentityUserSession 
     let token = session.idToken!.tokenString 

     let tokens : [NSString:NSString] = ["cognito-idp.us-east-1.amazonaws.com/\(self.poolID!)" as NSString : token as NSString] 
     let identityProvider = CognitoPoolIdentityProvider(tokens: tokens) 

     let credentialsProvider = AWSCognitoCredentialsProvider(regionType: .usEast1, identityPoolId: self.identityPoolID, identityProviderManager: identityProvider) 

     /// Set the default service configuration 
     let serviceConfiguration = AWSServiceConfiguration(region: AWSRegionType.usEast1, credentialsProvider: credentialsProvider) 
     AWSServiceManager.default().defaultServiceConfiguration = serviceConfiguration 

     credentialsProvider.getIdentityId().continue({ (task) -> AnyObject? in 
      completionHandler(task.error as NSError?) 
      return nil 
     }) 

     return nil 
    }) 

3. CognitoPoolIden tityProvider類

class CognitoPoolIdentityProvider : NSObject, AWSIdentityProviderManager { 

     var tokens : NSDictionary = [:] 

     init(tokens: [NSString : NSString]) { 
      self.tokens = tokens as NSDictionary 
     } 

     @objc func logins() -> AWSTask<NSDictionary> { 
      return AWSTask(result: tokens) 
     } 

    } 

4.將數據存儲到Cognito聯合身份

所有這一切都通過沒有任何錯誤。不過，現在我想保存我從Cognito池中取出一個特定的Cognito聯合身份數據集的數據，所以我打電話：userProfile.synchronize().continue和我得到的結果如下：

getCredentialsWithCognito:authenticated:customRoleArn:]_block_invoke | GetCredentialsForIdentity failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden.}]

2016-11-10 10:27:16.947365 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error] AWSIdentityProvider.m line:304 | __52-[AWSCognitoCredentialsProviderHelper getIdentityId]_block_invoke.255 | GetId failed. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.}] 2016-11-10 10:27:16.947726 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error]

AWSCredentialsProvider.m line:577 | __44-[AWSCognitoCredentialsProvider credentials]_block_invoke.352 | Unable to refresh. Error is [Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.}] 2016-11-10 10:27:16.948452 xxxxxxxx[19867:5614838] AWSiOSSDK v2.4.11 [Error]

AWSCognitoDataset.m line:352 | __30-[AWSCognitoDataset syncPull:]_block_invoke | Unable to list records: Error Domain=com.amazonaws.AWSCognitoIdentityErrorDomain Code=8 "(null)" UserInfo={__type=NotAuthorizedException, message=Unauthenticated access is not supported for this identity pool.} [10:27:16]: saveSettings AWS task error: The operation couldn’t be completed. (com.amazonaws.AWSCognitoIdentityErrorDomain error 8.)

更改日誌級別後，我可以看到以下內容：

//REQUEST

2016-11-10 10:33:08.095735 xxxxxxxx[19874:5616142] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m line:543 | -[AWSURLSessionManager printHTTPHeadersAndBodyForRequest:] | Request body: {"IdentityId":"us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"}

//RESPONSE

2016-11-10 10:33:08.714268 xxxxxxxx[19874:5616154] AWSiOSSDK v2.4.11 [Debug] AWSURLSessionManager.m line:553 | -[AWSURLSessionManager printHTTPHeadersForResponse:] | Response headers: { Connection = "keep-alive"; "Content-Length" = 129; "Content-Type" = "application/x-amz-json-1.1"; Date = "Thu, 10 Nov 2016 09:33:08 GMT"; "x-amzn-ErrorMessage" = "Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx' is forbidden."; "x-amzn-ErrorType" = "NotAuthorizedException:"; "x-amzn-RequestId" = "b0ac6fb0-a728-11e6-8413-1fdb846185bb"; }

上述請求是GetID API調用。顯然，它與AWS Docs：http://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetId.html中的請求格式不匹配。

按照AWSServiceManager類，我們有這樣的：

/** 
The default service configuration object. This property can be set only once, and any subsequent setters are ignored. 
*/ 
@property (nonatomic, copy) AWSServiceConfiguration *defaultServiceConfiguration; 

這意味着，設置新的服務配置是沒有意義的，但我看不出有什麼其他的方式來刷新，我已經通過Cognito用戶羣中獲得的證書認證。

就是這樣。有任何想法嗎？

感謝

Answer 1

它從你得到

Access to Identity 'us-east-1:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' is forbidden 

，您在第一部分所獲得的無法訪問的身份憑證所做的同步調用，帶這樣你的身份很可能改變錯誤似乎。