aws cognito

by Kangze Huang

黄康泽

使用AWS Cognito的用户管理—(1/3)初始设置 (User Management with AWS Cognito — (1/3) Initial Setup)

完整的AWS Web样板-教程1A (The Complete AWS Web Boilerplate — Tutorial 1A)

Main Table of Contents Click Here
主要目录请点击这里

Part A: Initial Setup
A部分： 初始设置

Part B: The Core Functionality
B部分： 核心功能

Part C: Last Steps to Full Fledged
C部分： 全面完成的最后步骤

Download the Github here.

在此处下载Github。

介绍 (Introduction)

Setting up user authentication can take ages, but it is an essential cornerstone of any production app. There are options out there such as AuthO and PassportJS, but they either have hard learning curves, require continual maintenance, or are vulnerable to programmer errors as they require self-setup. If only there was a hands-off, customizable, secure and highly scalable user management service on the cloud.

设置用户身份验证可能会花费很多时间，但这是任何生产应用程序必不可少的基石。那里有诸如AuthO和PassportJS之类的选项，但是它们要么学习难度大，需要不断维护，要么由于需要自我设置而容易受到程序员错误的影响。如果只有手动操作，可定制的，安全的和高度可扩展的云上用户管理服务。

Introducing Amazon Cognito and Federated Identities. Cognito is the AWS solution for managing user profiles, and Federated Identities help keep track of your users across multiple logins. Integrated into the AWS ecosystem, AWS Cognito opens up a world of possibility for advanced front end development as Cognito+IAM roles give you selective secure access to other AWS services. Want to only allow S3 Bucket access to specific signed on users? Simply connect a Cognito login with an IAM role allowed access to the bucket, and now your bucket is secure! Best of all, the free tier gives you 50,000 monthly active users so you won’t have to worry about paying more until you’re ready to boom.

介绍Amazon Cognito和联合身份。 Cognito是用于管理用户配置文件的AWS解决方案，而联合身份可帮助您跟踪多次登录中的用户。集成到AWS生态系统中的AWS Cognito为高级前端开发打开了无限可能，因为Cognito + IAM角色使您可以选择性地安全访问其他AWS服务。是否只允许S3存储桶访问特定的已登录用户？只需将Cognito登录名与允许访问存储桶的IAM角色连接起来，即可安全保护您的存储桶！最重要的是，免费套餐可为您提供50,000个每月的活跃用户，因此您无需担心要支付更多的费用，直到您准备繁荣之前。

This boilerplate is a React-Redux web app that has the full features of AWS Cognito and Federated Identities pre-integrated. Use this boilerplate if you have an app that you want developed with a production-ready authentication service from the very beginning. Indeed this is a powerful launchpad for your next great idea.

该样板是一个React-Redux Web应用程序，具有预先集成的AWS Cognito和联合身份的全部功能。如果您有从一开始就想要使用生产就绪认证服务开发的应用程序，请使用此样板。确实，这是您下一个好主意的强大启动板。

Go to AWS Cognito on the AWS console to get started!

在AWS控制台上转到AWS Cognito入门！

初始设置-Cognito (Initial Setup — Cognito)

We will be setting up AWS Cognito, which is a custom login pool (such as login with email). Cognito IS NOT a login manager for any type of login (such as Facebook and Gmail), only for custom logins.

我们将设置AWS Cognito，这是一个自定义登录池(例如，使用电子邮件登录)。 Cognito并非任何类型的登录名(例如Facebook和Gmail)的登录管理器，仅适用于自定义登录名。

Let’s first make a user pool by clicking on “Manage your User Pools”. A user pool is a group of users that fulfill the same designation. If you were making an Uber clone, you would make 2 user pools — one for drivers and one for riders. For now, let just make 1 new user pool called “App_Users”. The setup screen should look like this:

首先，通过单击“管理您的用户池”来建立用户池。用户池是一组具有相同名称的用户。如果要制作Uber克隆，则将创建2个用户池-一个用于驾驶员，一个用于骑手。现在，让我们新建一个名为“ App_Users”的用户池。设置屏幕应如下所示：

We’re gonna walk through this process step by step, so enter the Pool name of “App_Users” and click “Step through settings”. The next step is “Attributes”, where we define the attributes that our “App_Users” will have.

我们将逐步完成此过程，因此输入“ App_Users”的池名称，然后单击“逐步设置”。下一步是“属性”，我们在其中定义“ App_Users”将具有的属性。

We now, we only want to have an email, password and “agentName”. The email is our unique identifier for a user and the password is a mandatory field (which is why you don’t see it in the list of standard attributes). We want users to be able to have a codename to go by, so let’s set up “agentName” is a custom attribute. We are only using “agentName” to show how to add custom attributes. Scroll down and you will see the option to add custom attributes.

现在，我们只想要一个电子邮件，密码和“ agentName”。电子邮件是我们为用户提供的唯一标识符，而密码是必填字段(这就是为什么您在标准属性列表中看不到它的原因)。我们希望用户能够拥有一个代号，因此我们将“ agentName”设置为一个自定义属性。我们仅使用“ agentName”来显示如何添加自定义属性。向下滚动，您将看到添加自定义属性的选项。

As of the date this tutorial was written, you cannot go back and change the custom attributes (even though AWS appears to be able to), so be sure to get this right the first time! If you need to change attributes, you will have to create a new user pool. Hopefully AWS fixes this issue soon. Anyways, moving on to account policies!

从撰写本教程之日起，您无法返回并更改自定义属性(即使AWS似乎可以更改)，因此请确保第一次正确！如果需要更改属性，则必须创建一个新的用户池。希望AWS可以尽快解决此问题。无论如何，请继续使用帐户政策！

So we can see here that our passwords can be enforced to require certain characters. Obviously requiring a mix of various character types would be more secure, but users often don’t like that. For a middle ground, lets just require the password to be 8+ characters in length, and include at least 1 number. We also want users to be able to sign themselves up. The other parts are not so important, so let’s move onto the next step: verifications.

因此，我们在这里可以看到我们的密码可以强制使用某些字符。显然，要求将各种字符类型混合使用会更安全，但用户通常不喜欢这样。作为中间立场，让我们只要求密码的长度为8个以上字符，并至少包含1个数字即可。我们还希望用户能够注册自己。其他部分并不那么重要，因此让我们继续下一步：验证。

This part is cool, we can easily integrate multi-factor authentication (MFA). This means users must sign up with an email as well as another form of authentication such as a phone number. A PIN would be sent to that phone number and the user would use it to verify their account. We won’t be using MFA in this tutorial, just email verification. Set MFA to “off” and check only “Email” as a verification method. We can leave the “AppUsers-SMS-Role” (IAM role) that has been filled in, as we won’t be using it but may use it in the future. Cognito uses that IAM role to be authorized to send SMS text messages used in MFA. Since we’re not using MFA, we can move on to: Message Customizations.

这部分很酷，我们可以轻松地集成多因素身份验证(MFA)。这意味着用户必须使用电子邮件以及其他形式的身份验证(例如电话号码)进行注册。 PIN将发送到该电话号码，用户将使用它来验证其帐户。在本教程中，我们将仅使用电子邮件验证来使用MFA。将MFA设置为“关闭”，并仅选中“电子邮件”作为验证方法。我们可以保留已填写的“ AppUsers-SMS-Role”(IAM角色)，因为我们不会使用它，但将来可能会使用它。 Cognito使用该IAM角色来授权发送MFA中使用的SMS文本消息。由于我们不使用MFA，因此我们可以继续进行以下操作：消息自定义。

When users receive their account verification emails, we can specify what goes into that email. Here we have made a custom email and programmatically placed in the verification PIN represented as {####}. Unfortunately we can’t pass in other variables such as a verification link. To accomplish this, we would have to use a combination of AWS Lambda and AWS SES.

当用户收到帐户验证电子邮件时，我们可以指定该电子邮件中包含的内容。在这里，我们制作了一封自定义电子邮件，并以编程方式将其放置在表示为{####}的验证PIN中。不幸的是，我们无法传入其他变量，例如验证链接。为此，我们必须结合使用AWS Lambda和AWS SES。

Scroll down the page in the Message Customizations step and we can add our own default FROM and REPLY-TO addresses. In order to do this, we need to verify an email in AWS SES, which is easy and super quick to set up. In a new tab, go to the AWS console homepage by clicking the orange cube at the top left hand. In the console homepage, search for SES (Simple Email Service). Click to go to the SES page, then click the Email Addresses link on the left menu.

在“消息自定义”步骤中向下滚动页面，我们可以添加我们自己的默认FROM和REPLY-TO地址。为此，我们需要在AWS SES中验证电子邮件，该电子邮件的设置非常容易且非常快捷。在新选项卡中，通过单击左上角的橙色多维数据集转到AWS控制台主页。在控制台主页中，搜索SES(简单电子邮件服务)。单击以转到SES页面，然后单击左侧菜单上的“电子邮件地址”链接。

Next click “Verify a New Address”, and enter the email you would like to verify.

接下来单击“验证新地址”，然后输入要验证的电子邮件。

Now login to your email and open the email from AWS. Click the link inside the email to verify, and you will be redirected to the AWS SES page again. You have successfully verified an email! That was easy.

现在登录到您的电子邮件，然后从AWS打开电子邮件。单击电子邮件中的链接进行验证，您将再次被重定向到AWS SES页面。您已成功验证电子邮件！那很简单。

Now that’s done, let’s return back to AWS Cognito and move on to: Tags.

现在完成了，让我们回到AWS Cognito并继续：标签。

It is not mandatory to add tags to a user pool, but it is definitely useful for managing many AWS services. Let’s just add a tag for ‘AppName’ and set it to a value of ‘MyApp’. We can now move on to: Devices.

将标签添加到用户池不是强制性的，但是对于管理许多AWS服务绝对有用。让我们为“ AppName”添加一个标记并将其设置为“ MyApp”的值。现在，我们可以继续：设备。

We can opt to remember our user’s devices. I usually select “Always” because remembering user devices is both free and requires no coding on our part. The information is useful too, so why not? Next step: Apps.

我们可以选择记住我们用户的设备。我通常选择“始终”，因为记住用户设备既免费又不需要我们编写任何代码。这些信息也很有用，为什么不呢？下一步：应用程序。

We want certain apps to have access to our user pool. These apps are not present anywhere else on the AWS ecosystem, which means when we create an “app”, it is a Cognito-only identifier. Apps are useful because we can have multiple apps accessing the same user pool (imagine an Uber clone app, and a complimentary Driving Test Practice App). We will set the refresh token to 30 days, which means each login attempt will return a refresh token that we can use for authentication instead of logging in every time. We un-click “Generate Client Secret” because we intend to log into our user pool from the front end instead of back end (ergo, we cannot keep secrets on the front end because that is insecure). Click “Create App” and then “Next Step” to move on to: Triggers.

我们希望某些应用有权访问我们的用户池。这些应用程序在AWS生态系统上的其他任何地方都没有，这意味着当我们创建“应用程序”时，它是仅Cognito的标识符。应用程序很有用，因为我们可以让多个应用程序访问同一个用户池(想象一个Uber克隆应用程序，以及一个免费的驾驶考试实践应用程序)。我们会将刷新令牌设置为30天，这意味着每次登录尝试都会返回一个刷新令牌，我们可以将其用于身份验证，而不是每次都登录。取消单击“生成客户端机密”是因为我们打算从前端而不是后端登录到我们的用户池(因此，我们不能在前端保留机密，因为这是不安全的)。单击“创建应用”，然后单击“下一步”以继续：触发器。

We can trigger various actions in the user authentication and setup flow. Remember how we said we can create more complex account verification emails using AWS Lambda and AWS SES? This is where we would set that up. For the scope of this tutorial, we will not be using any AWS Lambda triggers. Let’s move on to the final step: Review.

我们可以在用户身份验证和设置流程中触发各种操作。还记得我们说过如何使用AWS Lambda和AWS SES创建更复杂的账户验证电子邮件吗？这是我们要进行设置的地方。在本教程的范围内，我们将不使用任何AWS Lambda触发器。让我们继续最后一步：回顾。

Here we review all the setup configurations we have made. If you are sure about this info, click “Create Pool” and our Cognito User Pool will be generated!

在这里，我们回顾所有已完成的设置配置。如果您确定此信息，请单击“创建池”，我们的Cognito用户池将生成！

Take note of the Pool Id us-east-1_6i5p2Fwao in the Pool details tab.

在“池详细信息”选项卡中记录池ID us-east-1_6i5p2Fwao 。

And the App client id 5jr0qvudipsikhk2n1ltcq684b in the Apps tab. We will need both of these in our client side app.

在“应用程序”选项卡中，应用程序客户端ID为5jr0qvudipsikhk2n1ltcq684b 。我们将在客户端应用程序中同时使用这两个功能。

Now that Cognito is set up, we can set up Federated Identities for multiple login providers. In this tutorial we do not cover the specifics of FB Login as it is not within in the scope of this tutorial series. However, integrating FB Login is super easy and we will show how it’s done in the below section.

现在已经设置了Cognito，我们可以为多个登录提供者设置联合身份。在本教程中，我们不讨论FB登录的细节，因为它不在本教程系列的范围之内。但是，集成FB登录非常容易，我们将在下一节中演示如何完成。

初始设置-联合身份 (Initial Setup — Federated Identities)

Next we want to setup “Federated Identities”. If we have an app that allows multiple login providers (Amazon Cognito, Facebook, Gmail..etc) to the same user, we would use Federated Identities to centralize all these logins. In this tutorial, we will be using both our Amazon Cognito login, as well as a potential Facebook Login. Go to Federated Identities and begin the process to create a new identity pool. Give it an appropriate name.

接下来，我们要设置“联合身份”。如果我们有一个应用程序允许同一用户使用多个登录提供程序(Amazon Cognito，Facebook，Gmail..etc)，我们将使用联合身份集中所有这些登录。在本教程中，我们将使用我们的Amazon Cognito登录名以及潜在的Facebook登录名。转到联合身份，然后开始创建新身份池的过程。给它起一个适当的名字。

Now expand the “Authentication providers” section and you will see the below screen. Under Cognito, we are going to add the Cognito User Pool that we just created. Copy and paste the User Pool ID and App Client ID that we made note of earlier.

现在，展开“身份验证提供程序”部分，您将看到以下屏幕。在Cognito下，我们将添加刚刚创建的Cognito用户池。复制并粘贴我们前面提到的用户池ID和应用程序客户端ID。

And if we wanted Facebook login for the same user identity pool, we can go to the Facebook tab and simply enter our Facebook App ID. That’s all there is to it on the AWS console!

如果我们希望Facebook登录同一用户身份池，则可以转到Facebook选项卡，只需输入我们的Facebook App ID。这就是AWS控制台上的全部内容！

Save the identity pool and you will be redirected to the below screen where IAM roles are created to represent the Federated Identity Pool. The unauthenticated IAM role is for non-logged in users, and the authenticated version is for logged in users. We can grant these IAM roles permission to access other AWS resources like S3 buckets and such. That is how we achieve greater security by integrating our app throughout the AWS ecosystem. Continue to finish creating this Identity Pool.

保存身份池，您将被重定向到以下屏幕，在该屏幕上创建了IAM角色以表示联合身份池。未经身份验证的IAM角色适用于未登录的用户，已认证的版本适用于已登录的用户。我们可以授予这些IAM角色访问其他AWS资源(如S3存储桶等)的权限。这就是我们通过在整个AWS生态系统中集成我们的应用程序来提高安全性的方式。继续完成此身份池的创建。

You should now see the below screen after successfully creating the identity pool. You now only need to make note of 1 thing which is the Identity Pool ID (ie. us-east-1:65bd1e7d-546c-4f8c-b1bc-9e3e571cfaa7) which we will use later in our code. Great!

成功创建身份池后，现在应该看到以下屏幕。现在，您只需要记下1个东西，即身份池ID(即us-east-1:65bd1e7d-546c-4f8c-b1bc-9e3e571cfaa7 )，我们将在以后的代码中使用它。大！

Exit everything and go back to the AWS Cognito main screen. If we enter the Cognito section or the Federated Identities section, we see that we have the 2 necessary pools set up. AWS Cognito and AWS Federated Identities are ready to go!

退出所有内容，然后返回到AWS Cognito主屏幕。如果我们进入“认知”部分或“联合身份”部分，我们将看到已经设置了两个必要的池。 AWS Cognito和AWS Federated Identities已准备就绪！

That’s all for set up! With these 2 pools we can integrate the rest of our code into Amazon’s complete authentication service and achieve top tier user management. That was way easier than custom OAuth+Passport.js! If you like what you’ve seen so far, keep reading! Remember that after you learn this once, it will be super easy in the future, so it is definitely worth the time investment. See you in the next section!

这就是设置的全部！通过这两个池，我们可以将其余代码集成到Amazon的完整身份验证服务中，并实现顶级用户管理。这比自定义OAuth + Passport.js容易得多！如果您喜欢到目前为止所看到的，请继续阅读！请记住，一旦学习了这一点，将来它将变得非常容易，因此绝对值得花时间进行投资。下一节见！