so i'm trying use cognito identity in nodejs api. goal in using cognity identity able give users secure way create user account , log in. i'd use api make aws cognito calls verify users identifying them email address. api give users access based on are, based on email.
i able create user, verify user's email, , log in accesstoken, idtoken, , refreshtoken. that's great, @ point i'm not entirely sure these tokens. i'd imagine can somehow use them verify user every time make call api, i'm uncertain how that.
i'm imagining authentication flow going this:
user logs in password -> api makes call aws tokens -> api passes tokens user's mobile device -> mobile device stores these tokens -> accesstoken used verify api calls until expires -> refreshtoken used new set of tokens if accesstoken expires -> if refreshtoken expired user must log in username/password again.
is incorrect or improper way of doing this? if have right idea, how use tokens accomplish this? wasn't able find documentation on authentication process once user gets tokens. thing can find seems might able accomplish here: http://docs.aws.amazon.com/awsjavascriptsdk/latest/aws/cognitoidentityserviceprovider.html#initiateauth-property
your next step depends on service use , how use it.
for example, api-driven application lambda / api gateway, you'd use amazon cognito user pools api resource methods , send id token authorization header api call. (yes, name misleading. should authentication since authorization logic implemented in lambda function)
then, lambda function can access identity claim properties user pool using context object (when enable lambda proxy integration) as:
const email = context.authorizer.claims.email; or
const cognitogroups = context.authorizer.claims['cognito:groups']; if haven't enabled lambda proxy integration, should make sure pass values in body-mapping template.
Comments
Post a Comment