缺少用于联合Google用户的UserAttributes
我正在尝试将Google作为IDP集成到我们现有的Cognito UserPool中。到目前为止,一切都设置了,我可以使用Google进行注册/签名,该Google创建新用户。我正在使用Presignup lambda触发器来链接现有用户,或者如果没有现有的用户,则创建新的本地用户。现在,我期望event.request.userattributes ['name']包含Google提供的用户名称,或者至少在id_token中看到属性。但是我认为目前没有可能获得这些价值观。我们开始使用Cognito作为用户名/密码的商店,并且没有用UserAttributes填写或按需要标记。
我已经使用以下范围设置了Google集成:
.../auth/userInfo.email.../auth/auth/userInfo.profile.profileopenID
在UserPoolClient i:
- 标记
名称作为可读取和可写的属性(以及其他属性) - 检查以下允许的oauth scopes
email> email,OpenID和配置文件。这些也是OAuth流的负责的Web客户端中定义的。
在联邦部分中,我配置了属性映射:
,我将name属性映射到用于测试内容的自定义属性。但是,这或映射name to name都没有工作。
有效负载我在此事件中得到:
{{PreSignUp_ExternalProvider .... Google_11...} {map[cognito:email_alias: cognito:phone_number_alias: email:[email protected] email_verified:true] map[] map[]} {false false false}}
id_token content:
{
"at_hash": "..",
"sub": "52...",
"email_verified": true,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/...",
"cognito:username": "52..",
"origin_jti": "..",
"aud": "...",
"identities": [
{
"userId": "11...",
"providerName": "Google",
"providerType": "Google",
"issuer": null,
"primary": "false",
"dateCreated": "1648828708886"
}
],
"token_use": "id",
"auth_time": 1648828717,
"exp": 1648830828,
"iat": 1648830228,
"jti": "...",
"email": "[email protected]"
}
access_token content:content:
{
"origin_jti": "02...",
"sub": "52...",
"token_use": "access",
"scope": "openid profile",
"auth_time": 1648828717,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/....",
"exp": 1648829317,
"iat": 1648828717,
"version": 2,
"jti": "..",
"client_id": "...",
"username": "52..."
}
I'm trying to integrate Google as an IdP in our existing Cognito UserPool. Everything is set up so far, and I can SignUp/SignIn using Google, which creates the new user. I'm using the PreSignUp Lambda trigger to Link an existing user or create a new native one if there's no existing one. Now I was expecting that the event.Request.UserAttributes['name'] contains the user's name as provided by Google or at least seeing the attribute in the id_token. But I see no possibility to get those values at the moment. We started using Cognito just as the store for username/password, and none of the userAttributes are filled nor marked as required.
I have set up the Google integration with the following scopes:
.../auth/userinfo.email.../auth/userinfo.profileopenid
In the UserPoolClient I:
- marked
nameas read- and writeable attribute (along with others) - Checked the following allowed OAuth scopes
email,openid, andprofile. Those are also defined in the Web-Client in charge of the OAuth flow.
In the Federation section, I configured the attribute mapping:
Testwise, I mapped the name attribute to a custom attribute I used to test stuff. But neither this nor the mapping name to name worked.
Payload I get in the event:
{{PreSignUp_ExternalProvider .... Google_11...} {map[cognito:email_alias: cognito:phone_number_alias: email:[email protected] email_verified:true] map[] map[]} {false false false}}
id_token content:
{
"at_hash": "..",
"sub": "52...",
"email_verified": true,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/...",
"cognito:username": "52..",
"origin_jti": "..",
"aud": "...",
"identities": [
{
"userId": "11...",
"providerName": "Google",
"providerType": "Google",
"issuer": null,
"primary": "false",
"dateCreated": "1648828708886"
}
],
"token_use": "id",
"auth_time": 1648828717,
"exp": 1648830828,
"iat": 1648830228,
"jti": "...",
"email": "[email protected]"
}
access_token content:
{
"origin_jti": "02...",
"sub": "52...",
"token_use": "access",
"scope": "openid profile",
"auth_time": 1648828717,
"iss": "https://cognito-idp.us-west-2.amazonaws.com/....",
"exp": 1648829317,
"iat": 1648828717,
"version": 2,
"jti": "..",
"client_id": "...",
"username": "52..."
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
现在它正在工作,即使我无法说明错误。我再次重新创建了整个测试集,并确保了以下值的正确值:
示波器,我添加了scopes
email> email> emailopenID可以肯定,现在我在预注册触发lambda和id-token中获得name属性。Now it's working, even though I cannot state the error. I recreated the whole test set again and ensured the correct values of the following:
I added the scopes
email,profile, andopenidto be sure, and now I get thenameattribute within the pre signup trigger lambda and in the ID-Token.当使用Cognito作为REST API网关设置作为Lambda代理时,我也遇到了同样的问题。就我而言,声称lambda收到的没有包含与Google签署的用户的所有用户属性。
最后,我确定问题是从Cognito获取ID令牌的前端配置。我正在使用Amplify auth,并且缺少OAuth配置中的
'配置文件>范围。I had the same problem when using cognito as an authorizer for a REST API Gateway setup as a lambda proxy. In my case, the claims that the lambda received did not include all the user's attributes for a user signed in with Google.
Finally I identified that the issue was in the front-end configuration for getting the id tokens from cognito. I was using Amplify Auth and was missing the
'profile'scope in the oauth configuration.