限制登录到AWS Federated Identity Pool的Enterprise Google Domain-Java 学习之路

我正在使用带有aws-amplify的联合身份池（https://aws.github.io/aws-amplify/media/authentication_guide#enabling-federated-identities），我想将域的范围限制为我的谷歌域名组织（例如johndoe@foobar.com） .

似乎没有办法将其锁定在Google API控制台或AWS Cognito Identity Pool设置上，只是提示可以将高清参数附加到Google请求以按域限制（这仍然是需要修改aws-amplify核心软件包），它仍然不安全，因为任何人都可以在没有hd的情况下发出相同的请求并获得对cognito的访问权限 .

我的问题是：有没有办法限制谷歌oauth密钥只允许@ foobar.com电子邮件地址，或与aws cognito实施相同的限制？

1 回答

我相信我找到了一个解决方案（从几个快速测试看起来似乎工作正常）

不要尝试通过角色中的信任关系来控制托管域部分 . 转至：Cognito / Edit身份池/身份验证提供商选择Google在“经过身份验证的角色选择”中选择“选择带有规则的角色”现在要求声明“hd”为“等于”<your-domain>设置“角色分辨率”为“拒绝”

资料来源：https://forums.aws.amazon.com/thread.jspa?messageID=527303

这是一个cloudformation堆栈，可以一次性设置所有内容（标识池，角色等） . 你需要在所有标有_2449970评论的地方进行必要的调整 .

AWSTemplateFormatVersion : 2010-09-09
Description : "An Identity Pool stack which uses Google for sign-in"


Resources:
  IdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      IdentityPoolName: identity_pool_a
      AllowUnauthenticatedIdentities: false
      SupportedLoginProviders: 
        # EDIT HERE:
        "accounts.google.com": "11111111111-22222222222222222222222222222222.apps.googleusercontent.com"

  IdentityForbiddenRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow 
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": unauthenticated
      Policies:
        - PolicyName: None
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Deny
                Action: "*"
                Resource: "*"

  IdentityAllowedRole:
    Type: AWS::IAM::Role
    Properties:
      MaxSessionDuration: 3600
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: Allow
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals: 
                "cognito-identity.amazonaws.com:aud": !Ref IdentityPool
              ForAnyValue:StringLike:
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: UserPermissions
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                # EDIT HERE:
                Action: "s3:GetObject"
                # EDIT HERE:
                Resource: "arn:aws:s3:::my-bucket/*"

  RoleAttachment:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId: !Ref IdentityPool
      Roles: 
        unauthenticated: !GetAtt IdentityForbiddenRole.Arn
        authenticated: !GetAtt IdentityForbiddenRole.Arn
      RoleMappings: 
        accounts.google.com:
          AmbiguousRoleResolution: Deny
          Type: Rules
          RulesConfiguration:
            Rules:
              - Claim: hd
                MatchType: Equals
                # EDIT HERE:
                Value: mydomain.com
                RoleARN: !GetAtt IdentityAllowedRole.Arn

回复于 2024-05-09T23:31:44+08:00

限制登录到AWS Federated Identity Pool的Enterprise Google Domain

1 回答

相关问题