如何使用AWS API Gateway设置OAuth2身份验证提供程序?
AWS具有 API网关,可轻松设置,管理和监视您的API。
但是,您可以为资源方法设置的安全授权设置仅限于AWS-IAM(据我所知是内部vpn角色?)。
AWS has an API Gateway, that makes it pretty easy to set up, manage and monitor your API. However, the security authorization settings that you can set for resource methods is limited to AWS-IAM (which to my understanding is an internal vpn role?).
似乎我对这个问题的研究指出我建立了 AWS Cognito池,但是当我在AWS控制台中配置一个时,提供程序的选项是: Amazon , Facebook , Google + , Twitter , OpenID 和 Custom 。我想在那种情况下,我会使用 Custom 吗?然后将我自己的EC2实例设置为OAuth2身份验证提供程序服务器。
It seems that my research on this subject has been pointing me to setting up an AWS Cognito pool, but when I go to configure one in my aws console, the options for providers are: Amazon, Facebook, Google+, Twitter, OpenID, and Custom. I guess, in that case, I would use Custom? Then setup my own EC2 instance as an OAuth2 Authentication Provider Server.
鉴于Oauth2如今如此受欢迎,令我感到惊讶的是,没有针对此的AWS服务;看来他们改用了整个OpenId或SAML路由。这也让我感到惊讶,因为缺少有关如何在云中快速设置Oauth2提供程序的指南。
Given that Oauth2 is so popular these days it surprises me that there isn't an AWS service for this; it seems they've gone the whole OpenId or SAML route instead. It also surprises me that there is a lack of guides on how to quickly setup an Oauth2 Provider in the cloud.
任何帮助将不胜感激。
(1)您想要实现OAuth 2.0终结点(授权终结点和令牌端点)?换句话说,您是否真的想在API网关上实现OAuth 2.0服务器( RFC 6749 ) ?
(1) Do you want to implement OAuth 2.0 endpoints (authorization endpoint and token endpoint) on API Gateway? In other words, do you really want to implement an OAuth 2.0 server (RFC 6749) on API Gateway?
(2)还是要保护OAuth 2.0在API Gateway上实现的Web API 访问令牌?
(2) Or, do you want to protect your Web APIs implemented on API Gateway by OAuth 2.0 access token?
这两个完全不同。
因为似乎您想选择OAuth 2.0而不是AWS-IAM,所以我想您想做的是(2)。如果是这样,您可以在此处找到示例: Amazon API Gateway + AWS Lambda + OAuth
Because it seems you wanted to select OAuth 2.0 instead of AWS-IAM, I guess what you wanted to do is (2). If so, you can find an example here: Amazon API Gateway + AWS Lambda + OAuth
更新于2016年4月6日
Updated on 2016-Apr-6
2016年2月11日, AWS计算博客, 在Amazon API Gateway中引入自定义授权者,宣布自定义授权者已引入Amazon API Gateway。借助这种机制,基于Amazon API Gateway的API可以将客户端应用程序提供的Bearer令牌(例如OAuth或SAML令牌)的验证委派给外部授权者。
On Feb 11, 2016, a blog entry of AWS Compute Blog, "Introducing custom authorizers in Amazon API Gateway", announced that Custom Authorizer had been introduced into Amazon API Gateway. Thanks to this mechanism, an API built on Amazon API Gateway can delegate validation of a Bearer token (such as an OAuth or SAML token) presented by a client application to an external authorizer.
仅供参考:
OAuth 2.0是一种授权机制,而非身份验证。但是人们经常使用OAuth 2.0进行身份验证,并且有很多使用OAuth 2.0进行身份验证的软件库和服务。
OAuth 2.0 is a mechanism for authorization, not authentication. But people often use OAuth 2.0 for authentication and there are many software libraries and services using OAuth 2.0 for authentication.
Cognito(身份)是与身份验证有关的解决方案,而不是授权
Cognito (Identity) is a solution related to authentication, not authorization.
在Cognito中自定义是指定OpenID Connect提供商的地方。 OpenID Connect是身份验证的解决方案。使事情变得复杂的是 OpenID Connect建立在OAuth 2.0之上。有关详细信息,请参见 OpenID Connect网站。
Custom in Cognito is a place to specify OpenID Connect Providers. OpenID Connect is a solution for authentication. What makes things complicated is "OpenID Connect is built on top of OAuth 2.0". See OpenID Connect site for details.