aws cognito

by Kangze Huang

黃康澤

使用AWS Cognito的用戶管理—(1/3)初始設置 (User Management with AWS Cognito — (1/3) Initial Setup)

完整的AWS Web樣板-教程1A (The Complete AWS Web Boilerplate — Tutorial 1A)

Main Table of Contents Click Here
主要目錄請點擊這里

Part A: Initial Setup
A部分： 初始設置

Part B: The Core Functionality
B部分： 核心功能

Part C: Last Steps to Full Fledged
C部分： 全面完成的最后步驟

Download the Github here.

在此處下載Github。

介紹 (Introduction)

Setting up user authentication can take ages, but it is an essential cornerstone of any production app. There are options out there such as AuthO and PassportJS, but they either have hard learning curves, require continual maintenance, or are vulnerable to programmer errors as they require self-setup. If only there was a hands-off, customizable, secure and highly scalable user management service on the cloud.

設置用戶身份驗證可能會花費很多時間，但這是任何生產應用程序必不可少的基石。那里有諸如AuthO和PassportJS之類的選項，但是它們要么學習難度大，需要不斷維護，要么由于需要自我設置而容易受到程序員錯誤的影響。如果只有手動操作，可定制的，安全的和高度可擴展的云上用戶管理服務。

Introducing Amazon Cognito and Federated Identities. Cognito is the AWS solution for managing user profiles, and Federated Identities help keep track of your users across multiple logins. Integrated into the AWS ecosystem, AWS Cognito opens up a world of possibility for advanced front end development as Cognito+IAM roles give you selective secure access to other AWS services. Want to only allow S3 Bucket access to specific signed on users? Simply connect a Cognito login with an IAM role allowed access to the bucket, and now your bucket is secure! Best of all, the free tier gives you 50,000 monthly active users so you won’t have to worry about paying more until you’re ready to boom.

介紹Amazon Cognito和聯合身份。 Cognito是用于管理用戶配置文件的AWS解決方案，而聯合身份可幫助您跟蹤多次登錄中的用戶。集成到AWS生態系統中的AWS Cognito為高級前端開發打開了無限可能，因為Cognito + IAM角色使您可以選擇性地安全訪問其他AWS服務。是否只允許S3存儲桶訪問特定的已登錄用戶？只需將Cognito登錄名與允許訪問存儲桶的IAM角色連接起來，即可安全保護您的存儲桶！最重要的是，免費套餐可為您提供50,000個每月的活躍用戶，因此您無需擔心要支付更多的費用，直到您準備繁榮之前。

This boilerplate is a React-Redux web app that has the full features of AWS Cognito and Federated Identities pre-integrated. Use this boilerplate if you have an app that you want developed with a production-ready authentication service from the very beginning. Indeed this is a powerful launchpad for your next great idea.

該樣板是一個React-Redux Web應用程序，具有預先集成的AWS Cognito和聯合身份的全部功能。如果您有從一開始就想要使用生產就緒認證服務開發的應用程序，請使用此樣板。確實，這是您下一個好主意的強大啟動板。

Go to AWS Cognito on the AWS console to get started!

在AWS控制臺上轉到AWS Cognito入門！

初始設置-Cognito (Initial Setup — Cognito)

We will be setting up AWS Cognito, which is a custom login pool (such as login with email). Cognito IS NOT a login manager for any type of login (such as Facebook and Gmail), only for custom logins.

我們將設置AWS Cognito，這是一個自定義登錄池(例如，使用電子郵件登錄)。 Cognito并非任何類型的登錄名(例如Facebook和Gmail)的登錄管理器，僅適用于自定義登錄名。

Let’s first make a user pool by clicking on “Manage your User Pools”. A user pool is a group of users that fulfill the same designation. If you were making an Uber clone, you would make 2 user pools — one for drivers and one for riders. For now, let just make 1 new user pool called “App_Users”. The setup screen should look like this:

首先，通過單擊“管理您的用戶池”來建立用戶池。用戶池是一組具有相同名稱的用戶。如果要制作Uber克隆，則將創建2個用戶池-一個用于駕駛員，一個用于騎手。現在，讓我們新建一個名為“ App_Users”的用戶池。設置屏幕應如下所示：

We’re gonna walk through this process step by step, so enter the Pool name of “App_Users” and click “Step through settings”. The next step is “Attributes”, where we define the attributes that our “App_Users” will have.

我們將逐步完成此過程，因此輸入“ App_Users”的池名稱，然后單擊“逐步設置”。下一步是“屬性”，我們在其中定義“ App_Users”將具有的屬性。

We now, we only want to have an email, password and “agentName”. The email is our unique identifier for a user and the password is a mandatory field (which is why you don’t see it in the list of standard attributes). We want users to be able to have a codename to go by, so let’s set up “agentName” is a custom attribute. We are only using “agentName” to show how to add custom attributes. Scroll down and you will see the option to add custom attributes.

現在，我們只想要一個電子郵件，密碼和“ agentName”。電子郵件是我們為用戶提供的唯一標識符，而密碼是必填字段(這就是為什么您在標準屬性列表中看不到它的原因)。我們希望用戶能夠擁有一個代號，因此我們將“ agentName”設置為一個自定義屬性。我們僅使用“ agentName”來顯示如何添加自定義屬性。向下滾動，您將看到添加自定義屬性的選項。

As of the date this tutorial was written, you cannot go back and change the custom attributes (even though AWS appears to be able to), so be sure to get this right the first time! If you need to change attributes, you will have to create a new user pool. Hopefully AWS fixes this issue soon. Anyways, moving on to account policies!

從撰寫本教程之日起，您無法返回并更改自定義屬性(即使AWS似乎可以更改)，因此請確保第一次正確！如果需要更改屬性，則必須創建一個新的用戶池。希望AWS可以盡快解決此問題。無論如何，請繼續使用帳戶政策！

So we can see here that our passwords can be enforced to require certain characters. Obviously requiring a mix of various character types would be more secure, but users often don’t like that. For a middle ground, lets just require the password to be 8+ characters in length, and include at least 1 number. We also want users to be able to sign themselves up. The other parts are not so important, so let’s move onto the next step: verifications.

因此，我們在這里可以看到我們的密碼可以強制使用某些字符。顯然，要求將各種字符類型混合使用會更安全，但用戶通常不喜歡這樣。作為中間立場，讓我們只要求密碼的長度為8個以上字符，并至少包含1個數字即可。我們還希望用戶能夠注冊自己。其他部分并不那么重要，因此讓我們繼續下一步：驗證。

This part is cool, we can easily integrate multi-factor authentication (MFA). This means users must sign up with an email as well as another form of authentication such as a phone number. A PIN would be sent to that phone number and the user would use it to verify their account. We won’t be using MFA in this tutorial, just email verification. Set MFA to “off” and check only “Email” as a verification method. We can leave the “AppUsers-SMS-Role” (IAM role) that has been filled in, as we won’t be using it but may use it in the future. Cognito uses that IAM role to be authorized to send SMS text messages used in MFA. Since we’re not using MFA, we can move on to: Message Customizations.

這部分很酷，我們可以輕松地集成多因素身份驗證(MFA)。這意味著用戶必須使用電子郵件以及其他形式的身份驗證(例如電話號碼)進行注冊。 PIN將發送到該電話號碼，用戶將使用它來驗證其帳戶。在本教程中，我們將僅使用電子郵件驗證來使用MFA。將MFA設置為“關閉”，并僅選中“電子郵件”作為驗證方法。我們可以保留已填寫的“ AppUsers-SMS-Role”(IAM角色)，因為我們不會使用它，但將來可能會使用它。 Cognito使用該IAM角色來授權發送MFA中使用的SMS文本消息。由于我們不使用MFA，因此我們可以繼續進行以下操作：消息自定義。

When users receive their account verification emails, we can specify what goes into that email. Here we have made a custom email and programmatically placed in the verification PIN represented as {####}. Unfortunately we can’t pass in other variables such as a verification link. To accomplish this, we would have to use a combination of AWS Lambda and AWS SES.

當用戶收到帳戶驗證電子郵件時，我們可以指定該電子郵件中包含的內容。在這里，我們制作了一封自定義電子郵件，并以編程方式將其放置在表示為{####}的驗證PIN中。不幸的是，我們無法傳入其他變量，例如驗證鏈接。為此，我們必須結合使用AWS Lambda和AWS SES。

Scroll down the page in the Message Customizations step and we can add our own default FROM and REPLY-TO addresses. In order to do this, we need to verify an email in AWS SES, which is easy and super quick to set up. In a new tab, go to the AWS console homepage by clicking the orange cube at the top left hand. In the console homepage, search for SES (Simple Email Service). Click to go to the SES page, then click the Email Addresses link on the left menu.

在“消息自定義”步驟中向下滾動頁面，我們可以添加我們自己的默認FROM和REPLY-TO地址。為此，我們需要在AWS SES中驗證電子郵件，該電子郵件的設置非常容易且非常快捷。在新選項卡中，通過單擊左上角的橙色多維數據集轉到AWS控制臺主頁。在控制臺主頁中，搜索SES(簡單電子郵件服務)。單擊以轉到SES頁面，然后單擊左側菜單上的“電子郵件地址”鏈接。

Next click “Verify a New Address”, and enter the email you would like to verify.

接下來單擊“驗證新地址”，然后輸入要驗證的電子郵件。

Now login to your email and open the email from AWS. Click the link inside the email to verify, and you will be redirected to the AWS SES page again. You have successfully verified an email! That was easy.

現在登錄到您的電子郵件，然后從AWS打開電子郵件。單擊電子郵件中的鏈接進行驗證，您將再次被重定向到AWS SES頁面。您已成功驗證電子郵件！那很簡單。

Now that’s done, let’s return back to AWS Cognito and move on to: Tags.

現在完成了，讓我們回到AWS Cognito并繼續：標簽。

It is not mandatory to add tags to a user pool, but it is definitely useful for managing many AWS services. Let’s just add a tag for ‘AppName’ and set it to a value of ‘MyApp’. We can now move on to: Devices.

將標簽添加到用戶池不是強制性的，但是對于管理許多AWS服務絕對有用。讓我們為“ AppName”添加一個標記并將其設置為“ MyApp”的值。現在，我們可以繼續：設備。

We can opt to remember our user’s devices. I usually select “Always” because remembering user devices is both free and requires no coding on our part. The information is useful too, so why not? Next step: Apps.

我們可以選擇記住我們用戶的設備。我通常選擇“始終”，因為記住用戶設備既免費又不需要我們編寫任何代碼。這些信息也很有用，為什么不呢？下一步：應用程序。

We want certain apps to have access to our user pool. These apps are not present anywhere else on the AWS ecosystem, which means when we create an “app”, it is a Cognito-only identifier. Apps are useful because we can have multiple apps accessing the same user pool (imagine an Uber clone app, and a complimentary Driving Test Practice App). We will set the refresh token to 30 days, which means each login attempt will return a refresh token that we can use for authentication instead of logging in every time. We un-click “Generate Client Secret” because we intend to log into our user pool from the front end instead of back end (ergo, we cannot keep secrets on the front end because that is insecure). Click “Create App” and then “Next Step” to move on to: Triggers.

我們希望某些應用有權訪問我們的用戶池。這些應用程序在AWS生態系統上的其他任何地方都沒有，這意味著當我們創建“應用程序”時，它是僅Cognito的標識符。應用程序很有用，因為我們可以讓多個應用程序訪問同一個用戶池(想象一個Uber克隆應用程序，以及一個免費的駕駛考試實踐應用程序)。我們會將刷新令牌設置為30天，這意味著每次登錄嘗試都會返回一個刷新令牌，我們可以將其用于身份驗證，而不是每次都登錄。取消單擊“生成客戶端機密”是因為我們打算從前端而不是后端登錄到我們的用戶池(因此，我們不能在前端保留機密，因為這是不安全的)。單擊“創建應用”，然后單擊“下一步”以繼續：觸發器。

We can trigger various actions in the user authentication and setup flow. Remember how we said we can create more complex account verification emails using AWS Lambda and AWS SES? This is where we would set that up. For the scope of this tutorial, we will not be using any AWS Lambda triggers. Let’s move on to the final step: Review.

我們可以在用戶身份驗證和設置流程中觸發各種操作。還記得我們說過如何使用AWS Lambda和AWS SES創建更復雜的賬戶驗證電子郵件嗎？這是我們要進行設置的地方。在本教程的范圍內，我們將不使用任何AWS Lambda觸發器。讓我們繼續最后一步：回顧。

Here we review all the setup configurations we have made. If you are sure about this info, click “Create Pool” and our Cognito User Pool will be generated!

在這里，我們回顧所有已完成的設置配置。如果您確定此信息，請單擊“創建池”，我們的Cognito用戶池將生成！

Take note of the Pool Id us-east-1_6i5p2Fwao in the Pool details tab.

在“池詳細信息”選項卡中記錄池ID us-east-1_6i5p2Fwao 。

And the App client id 5jr0qvudipsikhk2n1ltcq684b in the Apps tab. We will need both of these in our client side app.

在“應用程序”選項卡中，應用程序客戶端ID為5jr0qvudipsikhk2n1ltcq684b 。我們將在客戶端應用程序中同時使用這兩個功能。

Now that Cognito is set up, we can set up Federated Identities for multiple login providers. In this tutorial we do not cover the specifics of FB Login as it is not within in the scope of this tutorial series. However, integrating FB Login is super easy and we will show how it’s done in the below section.

現在已經設置了Cognito，我們可以為多個登錄提供者設置聯合身份。在本教程中，我們不討論FB登錄的細節，因為它不在本教程系列的范圍之內。但是，集成FB登錄非常容易，我們將在下一節中演示如何完成。

初始設置-聯合身份 (Initial Setup — Federated Identities)

Next we want to setup “Federated Identities”. If we have an app that allows multiple login providers (Amazon Cognito, Facebook, Gmail..etc) to the same user, we would use Federated Identities to centralize all these logins. In this tutorial, we will be using both our Amazon Cognito login, as well as a potential Facebook Login. Go to Federated Identities and begin the process to create a new identity pool. Give it an appropriate name.

接下來，我們要設置“聯合身份”。如果我們有一個應用程序允許同一用戶使用多個登錄提供程序(Amazon Cognito，Facebook，Gmail..etc)，我們將使用聯合身份集中所有這些登錄。在本教程中，我們將使用我們的Amazon Cognito登錄名以及潛在的Facebook登錄名。轉到聯合身份，然后開始創建新身份池的過程。給它起一個適當的名字。

Now expand the “Authentication providers” section and you will see the below screen. Under Cognito, we are going to add the Cognito User Pool that we just created. Copy and paste the User Pool ID and App Client ID that we made note of earlier.

現在，展開“身份驗證提供程序”部分，您將看到以下屏幕。在Cognito下，我們將添加剛剛創建的Cognito用戶池。復制并粘貼我們前面提到的用戶池ID和應用程序客戶端ID。

And if we wanted Facebook login for the same user identity pool, we can go to the Facebook tab and simply enter our Facebook App ID. That’s all there is to it on the AWS console!

如果我們希望Facebook登錄同一用戶身份池，則可以轉到Facebook選項卡，只需輸入我們的Facebook App ID。這就是AWS控制臺上的全部內容！

Save the identity pool and you will be redirected to the below screen where IAM roles are created to represent the Federated Identity Pool. The unauthenticated IAM role is for non-logged in users, and the authenticated version is for logged in users. We can grant these IAM roles permission to access other AWS resources like S3 buckets and such. That is how we achieve greater security by integrating our app throughout the AWS ecosystem. Continue to finish creating this Identity Pool.

保存身份池，您將被重定向到以下屏幕，在該屏幕上創建了IAM角色以表示聯合身份池。未經身份驗證的IAM角色適用于未登錄的用戶，已認證的版本適用于已登錄的用戶。我們可以授予這些IAM角色訪問其他AWS資源(如S3存儲桶等)的權限。這就是我們通過在整個AWS生態系統中集成我們的應用程序來提高安全性的方式。繼續完成此身份池的創建。

You should now see the below screen after successfully creating the identity pool. You now only need to make note of 1 thing which is the Identity Pool ID (ie. us-east-1:65bd1e7d-546c-4f8c-b1bc-9e3e571cfaa7) which we will use later in our code. Great!

成功創建身份池后，現在應該看到以下屏幕。現在，您只需要記下1個東西，即身份池ID(即us-east-1:65bd1e7d-546c-4f8c-b1bc-9e3e571cfaa7 )，我們將在以后的代碼中使用它。大！

Exit everything and go back to the AWS Cognito main screen. If we enter the Cognito section or the Federated Identities section, we see that we have the 2 necessary pools set up. AWS Cognito and AWS Federated Identities are ready to go!

退出所有內容，然后返回到AWS Cognito主屏幕。如果我們進入“認知”部分或“聯合身份”部分，我們將看到已經設置了兩個必要的池。 AWS Cognito和AWS Federated Identities已準備就緒！

That’s all for set up! With these 2 pools we can integrate the rest of our code into Amazon’s complete authentication service and achieve top tier user management. That was way easier than custom OAuth+Passport.js! If you like what you’ve seen so far, keep reading! Remember that after you learn this once, it will be super easy in the future, so it is definitely worth the time investment. See you in the next section!

這就是設置的全部！通過這兩個池，我們可以將其余代碼集成到Amazon的完整身份驗證服務中，并實現頂級用戶管理。這比自定義OAuth + Passport.js容易得多！如果您喜歡到目前為止所看到的，請繼續閱讀！請記住，一旦學習了這一點，將來它將變得非常容易，因此絕對值得花時間進行投資。下一節見！