Cognito

首先Cognito没有提供登录至AWS控制台的功能，然而您可以通过Cognito Identity Pool获取到IAM role的credentials [1]，再另外通过代码自行将IAM role credentials拼凑成AWS控制台登录的URL [2]。

最后，由于Cognito的使用除了User Pool以及Identity Pool的创建以及配置以外，在登录及认证的流程中都必须依赖API(通过AWS CLI或代码)，因此您可以先参考文档资源 [6] 熟悉这项服务。

Q2. cognito底层是否是OIDC协议?AWS自己的协议还是Oauth?

A2. Cognito支持OAuth 2.0及OIDC [7]，没有另外自己开发协议。

1. 调用 initiate-auth [2] 手动向User Pool发起登录，获取token。
   命令：
   aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=,PASSWORD= --client-id --region
   输出：
   {
   “ChallengeParameters”: {},
   “AuthenticationResult”: {
   “AccessToken”: “”,
   “ExpiresIn”: 3600,
   “TokenType”: “Bearer”,
   “RefreshToken”: “”,
   “IdToken”: “”
   }
   }

2. 参考文档 [3] 的「增强型流程(Enhanced flow)」调用 get-id [4] 以及 get-credentials-for-identity [5] 获取IAM role的AccessKeyId、SecretKey、以及SessionToken。
   命令：
   aws cognito-identity get-id --identity-pool-id <identity_pool_id> --logins cognito-idp..amazonaws.com/<user_pool_id>=<步骤1获取的IdToken>
   输出：
   {
   “IdentityId”: “”
   }

命令：
aws cognito-identity get-credentials-for-identity --identity-id --logins cognito-idp..amazonaws.com/<user_pool_id>=<步骤1获取的IdToken>
输出：
{
“IdentityId”: “”,
“Credentials”: {
“AccessKeyId”: “”,
“SecretKey”: “”,
“SessionToken”: “”,
“Expiration”: “”
}
}

3. 如同一般的IAM role credentials，在credentials到期前配置并使用AccessKeyId、SecretKey、以及SessionToken [6]。

也提供文档说明 [7] 供您参考。

希望以上信息能对您有所帮助，欢迎您再度联系亚马逊技术支持。

参考文档：
[1] Common Amazon Cognito scenarios - Access AWS services with a user pool and an identity pool - https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-scenarios.html#scenario-aws-and-user-pool
[2] https://docs.aws.amazon.com/cli/latest/reference/cognito-idp/initiate-auth.html
[3] 如何使用 Amazon Cognito 身份池授予用户访问 AWS 服务的权限？ - https://repost.aws/zh-Hans/knowledge-center/cognito-identity-pool-grant-user-access
[4] https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-id.html
[5] https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-credentials-for-identity.html
[6] Configuration and credential file settings in the AWS CLI - https://docs.aws.amazon.com/cli/v1/userguide/cli-configure-files.html
[7] Accessing AWS services using an identity pool after sign-in - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-integrating-user-pools-with-identity-pools.html

AssumeRoleWithWebIdentity 与Identity Pool的搭配适用于当您在Identity Pool选择了Basic authflow的时候 [1]。您可以参考文档 [1] 或是 [2] 的Basic authflow(基本流程)，当您使用了Basic authflow的时候，在调用了 get-id 后，您便会需要依序调用 get-open-id-token [3] 以及 assume-role-with-web-identity [4] 来去获取到IAM role的credentials，而不是使用 get-credentials-for-identity。

命令：
aws cognito-identity get-open-id-token --identity-id “” --logins cognito-idp..amazonaws.com/<user_pool_id>=<步骤1获取的IdToken>

输出：
{
“IdentityId”: “”,
“Token”: “”
}

命令：
aws sts assume-role-with-web-identity --role-arn “<指定事先配置好的IAM role>” --web-identity-token “” --role-session-name “<自定义session名>”

输出：
{
“Credentials”: {
AccessKeyId": “”,
SecretAccessKey": “”,
SessionToken": “”,
Expiration": “”
},
“SubjectFromWebIdentityToken”: “”,
“AssumedRoleUser”: {
“AssumedRoleId”: “”,
“Arn”: “”
},
“Provider”: “cognito-identity.amazonaws.com”,
“Audience”: “”
}

参考文档：
[1] Identity pools authentication flow - https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html
[2] 如何使用 Amazon Cognito 身份池授予用户访问 AWS 服务的权限？ - https://repost.aws/zh-Hans/knowledge-center/cognito-identity-pool-grant-user-access
[3] https://docs.aws.amazon.com/cli/latest/reference/cognito-identity/get-open-id-token.html
[4] https://docs.aws.amazon.com/de_de/cli/latest/reference/sts/assume-role-with-web-identity.html

简单来说，通过Enhanced authflow您拿到的IAM role是由送交给Identity Pool的token内容决定，IAM role的对应也是在Identity Pool里面配置。而Basic authflow拿到的IAM role则是在调用 AssumeRoleWithWebIdentity 的时候由发起人决定。例如在Enhanced authflow您可以设置只要登录成功调用get-credentials-for-identity就返回IAM role A，没有登录就返回IAM role B。在Basic authflow由于没有mapping的功能，就必须另外配置IAM role，然后再通过 IAM 的 AssumeRoleWithWebIdentity 获取IAM role。

详细的说明以及流程图请您直接参考文档 [1]，为了您的方便，也为您节录文档说明如下，由于文档的中文为机器翻译，为了避免机器翻译的翻译问题，以下将为您节录原文。

「The basic workflow gives you more granular control over the credentials that you distribute to your users. The GetCredentialsForIdentity request of the enhanced authflow requests a role based on the contents of an access token. The AssumeRoleWithWebIdentity request in the classic workflow grants your app a greater ability to request credentials for any AWS Identity and Access Management role that you have configured with a sufficient trust policy. You can also request a custom role session duration.

You can sign in with the Basic authflow in user pools that don’t have role mappings. This type of identity pool doesn’t have a default authenticated or unauthenticated role, and doesn’t have role-based or attribute-based access control configured. When you attempt GetOpenIdToken in an identity pool with role mappings, you receive the following error.

Basic (classic) flow is not supported with RoleMappings, please use enhanced flow.」

参考文档：
[1] Identity pools authentication flow - https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html