Authenticating with Amazon Cognito Using Spring Security – 使用Spring Security对Amazon Cognito进行认证

1. Introduction

1.绪论

In this tutorial, we will look at how we can use Spring Security‘s OAuth 2.0 support to authenticate with Amazon Cognito.

在本教程中，我们将了解如何使用Spring Security的OAuth 2.0支持来验证Amazon Cognito。

Along the way, we’ll briefly take a look at what Amazon Cognito is and what kind of OAuth 2.0 flows it supports.

在此过程中，我们将简要地看一下Amazon Cognito是什么，以及它支持什么样的OAuth 2.0流。

In the end, we’ll have a simple one-page application. Nothing fancy.

最后，我们将有一个简单的单页应用程序。没有什么花哨的。

2. What Is Amazon Cognito?

2.什么是Amazon Cognito？

Cognito is a user identity and data synchronization service that makes it easy for us to manage user data for our apps across multiple devices.

Cognito是一项用户身份和数据同步服务，使我们能够轻松地在多个设备上管理我们应用程序的用户数据。

With Amazon Cognito, we can:

有了Amazon Cognito，我们可以。

• create, authenticate, and authorize users for our applications
• create identities for users of our apps who use other public identity providers like Google, Facebook, or Twitter
• save our app’s user data in key-value pairs

3. Setup

3.设置

3.1. Amazon Cognito Setup

3.1.亚马逊Cognito设置

As an Identity Provider, Cognito supports the authorization_code, implicit, and client_credentials grants. For our purposes, let’s set things up to use the authorization_code grant type.

作为一个身份提供者，Cognito支持authorization_code, implicit, 和client_credentials授予。为了我们的目的，让我们把事情设置为使用authorization_code授予类型。

First, we need a bit of Cognito setup:

首先，我们需要对Cognito进行一些设置。

• Create a User Pool
• Add a User – we’ll use this user to log into our Spring Application
• Create App Client
• Configure App Client

In the configuration of the application client, make sure the CallbackURL matches the redirect-uri from the Spring config file. In our case, this will be:

在应用程序客户端的配置中，确保CallbackURL与Spring配置文件中的redirect-uri匹配。在我们的例子中，这将是。

http://localhost:8080/login/oauth2/code/cognito

The Allowed OAuth flow should be Authorization code grant. Then, on the same page, we need to set the Allowed OAuth scope to openid.

允许的OAuth流程应该是授权代码授予。然后，在同一个页面，我们需要将允许的OAuth范围设置为openid.。

To redirect the user to Cognito’s custom login page, we also need to add a User Pool Domain.

为了将用户重定向到Cognito的自定义登录页面，我们还需要添加一个用户池域。

3.2. Spring Setup

3.2.Spring设置

Since we want to use OAuth 2.0 Login, we’ll need to add the spring-security-oauth2-client and spring-security-oauth2-jose dependencies to our application:

由于我们要使用OAuth 2.0登录，我们需要将spring-security-oauth2-client和spring-security-oauth2-jose依赖项添加到我们的应用程序。

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
</dependency>
<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

And then, we’ll need some configuration to bind everything together:

然后，我们需要一些配置来把所有东西捆绑在一起。

spring:
  security:
    oauth2:
      client:
        registration:
          cognito:
            clientId: clientId
            clientSecret: clientSecret
            scope: openid
            redirect-uri: http://localhost:8080/login/oauth2/code/cognito
            clientName: clientName
        provider:
          cognito:
            issuerUri: https://cognito-idp.{region}.amazonaws.com/{poolId}
            user-name-attribute: cognito:username

In the above configuration, the properties clientId, clientSecret, clientName and issuerUri should be populated as per our User Pool and App Client created on AWS.

在上述配置中，属性clientId、clientSecret、clientName和issuerUri应按照我们在AWS上创建的User Pool和App Client来填充。

And with that, we should have Spring and Amazon Cognito set up! The rest of the tutorial defines our app’s security configuration and then just ties up a couple of loose ends.

这样一来，我们应该已经完成了Spring和Amazon Cognito的设置！其余的教程定义了我们的应用程序的安全配置，然后只是将一些未完成的工作完成。本教程的其余部分定义了我们的应用程序的安全配置，然后只是将一些松散的问题解决了。

3.3. Spring Security Configuration

3.3.Spring安全配置

Now we’ll add a security configuration class:

现在我们要添加一个安全配置类。

@Configuration
public class SecurityConfiguration {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http.csrf()
            .and()
            .authorizeRequests(authz -> authz.mvcMatchers("/")
                .permitAll()
                .anyRequest()
                .authenticated())
            .oauth2Login()
            .and()
            .logout()
            .logoutSuccessUrl("/");
        return http.build();
    }
}

Here we first specified that we need protection against CSRF attacks and then permitted everyone access to our landing page. After that, we added a call to oauth2Login to wire in the Cognito client registration.

在这里，我们首先指定我们需要防止CSRF攻击，然后允许每个人访问我们的登陆页面。之后，我们添加了一个对oauth2Login的调用，来连接Cognito客户端的注册。

4. Add a Landing Page

4.添加一个登陆页

Next, we add a simple Thymeleaf landing page so that we know when we’re logged in:

接下来，我们添加一个简单的Thymeleaf登陆页面，这样我们就可以知道我们什么时候登录了。

<div>
    <h1 class="title">OAuth 2.0 Spring Security Cognito Demo</h1>
    <div sec:authorize="isAuthenticated()">
        <div class="box">
            Hello, <strong th:text="${#authentication.name}">>!
        </div>
    </div>
    <div sec:authorize="isAnonymous()">
        <div class="box">
            <a class="button login is-primary" th:href="@{/oauth2/authorization/cognito}">
              Log in with Amazon Cognito</a>
        </div>
    </div>
</div>

Simply put, this will display our user name when we’re logged in or a login link when we’re not. Pay close attention to what the link looks like since it picks up the cognito part from our configuration file.

简单地说，这将在我们登录的时候显示我们的用户名，或者在我们没有登录的时候显示一个登录链接。密切注意这个链接的样子，因为它从我们的配置文件中提取了cognito部分。

And then let’s make sure we tie the application root to our welcome page:

然后，让我们确保我们将应用程序的根与我们的欢迎页面联系起来：。

@Configuration
public class CognitoWebConfiguration implements WebMvcConfigurer {
    @Override
    public void addViewControllers(ViewControllerRegistry registry) {
        registry.addViewController("/").setViewName("home");
    }
}

5. Run the App

5.运行该应用程序

This is the class that will put everything related to auth in motion:

这是一个将与授权有关的一切都付诸行动的类。

@SpringBootApplication
public class SpringCognitoApplication {
    public static void main(String[] args) {
        SpringApplication.run(SpringCognitoApplication.class, args);
    }
}

Now we can start our application, go to http://localhost:8080, and click the login link. On entering credentials for the user we created on AWS, we should be able to see a Hello, username message.

现在我们可以启动我们的应用程序，进入http://localhost:8080，并点击登录链接。在输入我们在AWS上创建的用户的凭证时，我们应该能够看到一个Hello, username消息。

6. Conclusion

6.结语

In this tutorial, we looked at how we can integrate Spring Security with Amazon Cognito with just some simple configuration. And then we put everything together with just a few pieces of code.

在本教程中，我们研究了如何通过一些简单的配置将Spring Security与Amazon Cognito整合起来。然后，我们只用几段代码就把所有东西整合在一起。

As always, the code presented in this article is available over on Github.

像往常一样，本文介绍的代码可在Github上获得。