ユーザーをé™å®šã™ã‚‹webサイト・webアプリã¯ãƒã‚°ã‚¤ãƒ³ã®ä»•çµ„ã¿ãŒå¿…è¦ã«ãªã‚‹.
AWS cognito, 特ã«User Poolsã®æ©Ÿèƒ½ã§ã“ã‚ŒãŒå®Ÿè£…ã§ãã‚‹.
Cognitoã¨ã¯ä½•ãžï¼Ÿã¨ã„ã†æ–¹ã¯ã“ã¡ã‚‰ä¸€èªã‚’推奨.
tarepan.hatenablog.com
Cognitoを用ã„ãŸã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†ã®å¤§æž
- インターãƒãƒƒãƒˆã‚’介ã—ãŸåˆå›žèªè¨¼ã€èªè¨¼æƒ…å ±ã®ãƒãƒ¼ã‚«ãƒ« (ブラウザ) ã¸ã®ä¿å˜
- å„webページ/アプリé·ç§»ã§ãƒãƒ¼ã‚«ãƒ«èªè¨¼æƒ…å ±ã®ãƒã‚§ãƒƒã‚¯ã€ä¸æ£ãªã‚‰ãƒˆãƒƒãƒ—ページ/ãƒã‚°ã‚¤ãƒ³ç”»é¢ã¸å¼·åˆ¶ãƒªãƒ³ã‚¯
åˆå›žèªè¨¼æ™‚ã®ãƒ‡ãƒ¼ã‚¿ãŒãƒãƒ¼ã‚«ãƒ«ã¸è‡ªå‹•ä¿å˜ã•ã‚Œã€å¿…è¦ã«å¿œã˜ã¦ãƒšãƒ¼ã‚¸é·ç§»æ™‚ãªã©ã«èªã¿å‡ºã—関数ã§ãれをãƒã‚§ãƒƒã‚¯ (validation)ã€æœªãƒã‚°ã‚¤ãƒ³ãƒ»æœŸé™åˆ‡ã‚Œç‰ã®å ´åˆã¯ãã®ãƒšãƒ¼ã‚¸ã‹ã‚‰è¿½ã„出ã™.
AWS Cognito UserPoolsを利用ã™ã‚Œã°ã€é–¢æ•°ã‚’数個å©ãã ã‘ã§ã“ã®ä»•çµ„ã¿ãŒå®Ÿè£…ã§ãã‚‹, ã™ã”ã„ãž Amazon.
詳細
- JWT (Json Web Token)
- èªè¨¼ãƒ•ãƒãƒ¼
ã®çŸ¥è˜ãŒã‚ã‚‹ã¨è‰¯ã„。
èªè¨¼æ™‚ã«localStorageã¸JwtTokenをセットã—ã€"ãã®å¾Œ"ã¯getSessionã§tokenã®å–り出ã—・利用期é™ã®validationã™ã‚‹ã€‚ä¸æ£ãªå ´åˆã¯getSessionã®callback内ã§ãƒã‚°ã‚¤ãƒ³ãƒšãƒ¼ã‚¸ã¸é£›ã°ã™.
"ãã®å¾Œ"ã§ã¯ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’介ã—ãŸãƒã‚§ãƒƒã‚¯ã¯ã—ã¦ãªã•ãã†.
ãƒã‚°ã‚¢ã‚¦ãƒˆæ™‚ã«ã¯localStorageã¨session変数を空ã«ã—ã¦ã‚‹.
åˆå›ž : ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ä»‹ã—ãŸèªè¨¼
2å›žç›®ä»¥é™ : localStorageã®tokensã‚’validationã—ã¦è¨±å¯
ユーザーèªè¨¼ã¨ãƒšãƒ¼ã‚¸ã‚’ã¾ãŸã„ã ãƒã‚°ã‚¤ãƒ³ã®é‡è¦ã‚³ãƒ¼ãƒ‰
UserPoolインスタンスã®ä½œæˆ
new CognitoIdP.CognitoUserPool(data)
- @param {object} data / Creation options.
CognitoUser.authenticateUser
内部ã§authRequest (CognitoIdPãƒã‚¤ãƒ†ã‚£ãƒ–関数) ã‚’å©ãã€æ‰€å®šã®èªè¨¼ãƒ—ãƒã‚»ã‚¹ã‚’通éŽã—ãŸã‚‰
- signInUserSessionã¸ã®ã‚»ãƒƒãƒˆ
- localStorageã¸ã®cache
を実行
// amazon-cognito-identity-js/src/CognitoUser.js // most important: line 225 - 227 export default class CognitoUser { ... authenticateUser(authDetails, callback) { ... this.client.makeUnauthenticatedRequest('initiateAuth', { ... }, (err, data) => { ... this.client.makeUnauthenticatedRequest('respondToAuthChallenge', { ...}, (errAuthenticate, dataAuthenticate) => { ... this.signInUserSession = this.getCognitoUserSession(dataAuthenticate.AuthenticationResult); this.cacheTokens(); ... }); }); }} // line 77 constructor(data){ ... this.client = data.Pool.client; } // amazon-cognito-identity-js/src/CognitoUserPool.js export default class CognitoUserPool { ... constructor(data) { ... this.client = new CognitoIdentityServiceProvider({ apiVersion: '2016-04-19', region }); }}
getCurrentUser
CognitoUserPool.getCurrentUser()
最後ã«èªè¨¼ã—ãŸãƒ¦ãƒ¼ã‚¶ãƒ¼åã‚’localStorageã‹ã‚‰å–り出ã—ã€CognitoUserã«ã—ã¦è¿”ã™.ã„ãªã„å ´åˆã¯null.
localStorageã¸ã®ç™»éŒ²ã‚¿ã‚¤ãƒŸãƒ³ã‚°ã¯ CognitoUser.cacheToken() 実行時ã®ã¿.
実行タイミング㯠CognitoUser.authenticateUser() ã®ã¿.
()=>CognitoUser(LastAuthUser)
// amazon-cognito-identity-js/src/CognitoUser.js // important: line 788 - 800 export default class CognitoUser { ... cacheTokens() { const keyPrefix = `CognitoIdentityServiceProvider.${this.pool.getClientId()}`; ... const lastUserKey = `${keyPrefix}.LastAuthUser`; ... storage.setItem(lastUserKey, this.username); } ... }
getSession
validãªtokensを検出ã—ãŸå ´åˆã«callbackãŒå®Ÿè¡Œã•ã‚Œã‚‹.
cognitoUser.getSession(callback)
callback: (err, signInUserSession)=>{}
cognitoUserã«validãªsignInUserSessionãŒã‚ã‚Œã°å³callback実行.
ãªã„å ´åˆã¯ãƒ¦ãƒ¼ã‚¶ãƒ¼åã‚’ã‚‚ã¨ã«localStorageã‹ã‚‰tokenã‚’å–å¾—ã€CognitoUserSessionã«å…¥ã‚Œã€validãªã‚‰callback実行.
期é™åˆ‡ã‚Œ (invalid) ãªã‚‰refreshTokenを用ã„ã¦å–å¾—ã—ç›´ã—ã€ãã®å¾Œ callback.
ä»–ã®å ´åˆã¯Errorã§callback実行.
CognitoUserSession
IdToken, AccessToken, RefreshTokenã®å…¥ã‚Œç‰©. validation check関数 (isValid) を実装.
AWS Cognito Identityã¨ã®é–¢ä¿‚
ユーザー登録・ãƒã‚°ã‚¤ãƒ³ãƒ»ã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†ã¯ (基本的ã«) User Pools上ã§å®Œçµã™ã‚‹.
Identity Poolã‚„Federated Identityã®ä»•çµ„ã¿ã¯ã€ä»–ã®AWS resourceã¸ã®ã‚¢ã‚¯ã‚»ã‚¹ç‰ã«å¿…è¦ã«ãªã‚‹.
amazon-cognito-identity-js
å…¨ã¦ã¯è§£æ±ºã—ãŸã€‚amazon-cognito-identity-js 㯠AWS.CognitoIdenitityServiceProviderã‚’ãƒ¡ã‚½ãƒƒãƒ‰è¿½åŠ ã§æ‹¡å¼µã—ã¦ã„る。
å‚考
Integrating User Pools with Amazon Cognito Identity - Amazon Cognito
