amazon-cognito - Appsync Resolver 中没有电子邮件

Question

我创建了一个使用电子邮件地址 ($context.identity.claims.email) 的解析器。我在 AWS 控制台“查询”部分测试了我的查询，一切正常，因为 $context.identity.claims 看起来符合预期；

{
    sub: 'xxx-xxx-xxx-xxx-xxx',
    aud: 'xxxxxxxxx',
    email_verified: true,
    sub: 'xxx-xxx-xxx-xxx-xxx',
    token_use: 'id',
    auth_time: 1563643503,
    iss: 'https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_xxxxx',
    'cognito:username': 'xxxx',
    exp: 1563647103,
    iat: 1563643503,
    email: 'xxx@xxx.xxx'
}

一切看起来都不错，所以让我们在使用 AWS Amplify 代码进行身份验证的 React 应用程序中使用它。它现在不起作用，那是因为 claim 部分没有“电子邮件”!它看起来像这样；

{
    sub: 'xxx-xxx-xxx-xxx-xxx',
    event_id: 'xxx-xxx-xxx-xxx-xxx',
    token_use: 'access',
    scope: 'aws.cognito.signin.user.admin',
    auth_time: 1563643209,
    iss: 'https://cognito-idp.ap-southeast-1.amazonaws.com/ap-southeast-1_xxxx',
    exp: 1563646809,
    iat: 1563643209,
    jti: 'xxx-xxx-xxx-xxx-xxx',
    client_id: 'xxxx',
    username: 'xxxx'
}

任何人都可以帮助我了解为什么电子邮件显示在 AWS 控制台查询中，但在我从自己的客户端调用时却没有？

Answer 1

通过传入一个函数，Amplify 可以配置为包含每个 graphql 请求的当前 ID Token。两个配置选项如下所示:

import { Auth } from 'aws-amplify';

const getIdToken = async () => ({
  Authorization: (await Auth.currentSession()).getIdToken().getJwtToken()
});

const aws_exports = {
  aws_appsync_graphqlEndpoint: 'https://****.appsync-api.us-east-2.amazonaws.com/graphql',
  aws_appsync_region: 'us-east-2',
  aws_appsync_authenticationType: 'AMAZON_COGNITO_USER_POOLS',

  // OPTION 1
  graphql_headers: getIdToken,

  // OPTION 2
  // API: {
  //   graphql_headers: getIdToken
  // },

  Auth: {
    identityPoolId: 'us-east-2:********-****-****-****-************',
    region: 'us-east-2',
    userPoolId: 'us-east-2_*********',
    userPoolWebClientId: '*************************',
    type: 'AMAZON_COGNITO_USER_POOLS'
  }
};

export default aws_exports;

Amplify.configure(awsconfig);

请注意 Access 和 ID token 之间解析器可用的不同声明。

访问 token 将提供 client_id 、 jti 和 scope 等声明，而 ID token 声明提供 email 、 phone_number 等，以及 aud 、 cognito:roles 和 cognito:username 等其他 token 。

访问 token

{
  "claims": {
    "auth_time": 1581438574,
    "client_id": "*************************",
    "cognito:groups": [
      "Admin"
    ],
    "event_id": "ec70594c-b02b-4015-ad0b-3c207a18a362",
    "exp": 1581442175,
    "iat": 1581438575,
    "iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_*********",
    "jti": "351d2d5f-13c3-4de8-ba7c-b3c5a9e46ca6",
    "scope": "aws.cognito.signin.user.admin",
    "sub": "********-****-****-****-************",
    "token_use": "access",
    "username": "********-****-****-****-************"
  },
  ...
}

ID token

{
  "claims": {
    "address": {
      "formatted": "1984 Newspeak Dr"
    },
    "aud": "....",
    "auth_time": 1581438671,
    "birthdate": "1984-04-04",
    "cognito:groups": [
      "Admin"
    ],
    "cognito:roles": [
      "arn:aws:iam::012345678901:role/us-east-2-ConsumerRole"
    ],
    "cognito:username": "********-****-****-****-************",
    "email": "winston.smith@oceania.gov",
    "email_verified": true,
    "event_id": "e3087488-bfc8-4d08-a44c-089c4ae7d8ec",
    "exp": 1581442271,
    "gender": "Male",
    "iat": 1581438672,
    "iss": "https://cognito-idp.us-east-2.amazonaws.com/us-east-2_*********",
    "name": "WINSTON SMITH",
    "phone_number": "+15551111984",
    "phone_number_verified": false,
    "sub": "********-****-****-****-************",
    "token_use": "id"
  },
  ...
}

用 amplify-js@2.2.4 测试

资料来源: https://github.com/aws-amplify/amplify-js/blob/aws-amplify%402.2.4/packages/api/src/API.ts#L86-L107