Angular 放大和缩小安全顾虑-cognito
我想弄清楚cognito是否需要amplify来使用前端,或者是否有一种更安全的设置方法。我问这个问题的原因是因为我有一个解决方案,允许我使用cognito、amplify和angular登录到我的应用程序,但为了让它工作,我必须在auth.service.ts文件中放入userPoolId和UserPoolWebClient等内容。从安全的角度来看,我觉得这是一件非常糟糕的事情。通常我会认为这种敏感信息会存储在后端,但我还没有看到一个解决方案不这样做 我的angular应用程序在auth.service.ts中的设置如下Angular 放大和缩小安全顾虑-cognito,angular,amazon-cognito,aws-amplify,Angular,Amazon Cognito,Aws Amplify,我想弄清楚cognito是否需要amplify来使用前端,或者是否有一种更安全的设置方法。我问这个问题的原因是因为我有一个解决方案,允许我使用cognito、amplify和angular登录到我的应用程序,但为了让它工作,我必须在auth.service.ts文件中放入userPoolId和UserPoolWebClient等内容。从安全的角度来看,我觉得这是一件非常糟糕的事情。通常我会认为这种敏感信息会存储在后端,但我还没有看到一个解决方案不这样做 我的angular应用程序在auth.se
Amplify.configure({
Auth: {
region: 'us-east-1',
userPoolId: '<my user pool id was here. Seems insecure>',
userPoolWebClientId: '<my user pool id was here. Seems insecure>',
mandatorySignIn: false,
oauth: {
domain: 'mysite.auth.us-east-1.amazoncognito.com',
scope: ['email', 'profile', 'openid'],
redirectSignIn: 'http://localhost:4200/',
redirectSignOut: 'http://localhost:4200/',
responseType: 'code'
}
}
});
const POOL_DATA = {
UserPoolId: '<my user pool id was here. Seems insecure>',
ClientId: '<my client id was here. Seems insecure>'
};
const userPool = new CognitoUserPool(POOL_DATA);
...
import { CONFIG } from '<your folder path>/config';
Amplify.configure({
Auth: {
region: 'us-east-1',
userPoolId: CONFIG.UserPoolId,
userPoolWebClientId: CONFIG.ClientId,
mandatorySignIn: false
}
});
Amplify.configure({
认证:{
地区:'us-east-1',
用户池ID:“”,
UserPoolWebClient:“”,
曼达托瑞:错,
oauth:{
域名:“mysite.auth.us-east-1.amazonconito.com”,
范围:['email','profile','openid'],
签名:'http://localhost:4200/',
重定向注销:'http://localhost:4200/',
responseType:“代码”
}
}
});
常量池数据={
用户池ID:“”,
客户端ID:'
};
const userPool=新的CognitoUserPool(池_数据);
...
有什么我不知道的吗。有没有更安全的方法在前端执行此操作?在没有池id和web客户端id的前端使用AWS Cognito是没有选项的 我建议您将凭据保留在environment.ts文件中,而不是保留在服务文件中
export const environment = {
production: false,
envName: 'dev',
cognitoUserPoolId: <secure credential>,
cognitoClientId: <secure credential>
}
导出常量环境={
制作:假,,
envName:'dev',
cognitoUserPoolId:,
认知客户端:
}
import { environment } from '<your folder path>/environments/environment';
export const CONFIG = {
UserPoolId: environment.cognitoUserPoolId,
ClientId: environment.cognitoClientId,
}
从'/environments/environment'导入{environment};
导出常量配置={
UserPoolId:environment.cognitoUserPoolId,
ClientId:environment.cognitoClientId,
}
Amplify.configure({
Auth: {
region: 'us-east-1',
userPoolId: '<my user pool id was here. Seems insecure>',
userPoolWebClientId: '<my user pool id was here. Seems insecure>',
mandatorySignIn: false,
oauth: {
domain: 'mysite.auth.us-east-1.amazoncognito.com',
scope: ['email', 'profile', 'openid'],
redirectSignIn: 'http://localhost:4200/',
redirectSignOut: 'http://localhost:4200/',
responseType: 'code'
}
}
});
const POOL_DATA = {
UserPoolId: '<my user pool id was here. Seems insecure>',
ClientId: '<my client id was here. Seems insecure>'
};
const userPool = new CognitoUserPool(POOL_DATA);
...
import { CONFIG } from '<your folder path>/config';
Amplify.configure({
Auth: {
region: 'us-east-1',
userPoolId: CONFIG.UserPoolId,
userPoolWebClientId: CONFIG.ClientId,
mandatorySignIn: false
}
});
从'/CONFIG'导入{CONFIG};
放大({
认证:{
地区:'us-east-1',
userPoolId:CONFIG.userPoolId,
userPoolWebClientId:CONFIG.ClientId,
mandatorySignIn:错
}
});
这样,凭证就不会暴露于外部世界。希望这是有意义的。在前端使用AWS Cognito时没有池id和web客户端id 我建议您将凭据保留在environment.ts文件中,而不是保留在服务文件中
export const environment = {
production: false,
envName: 'dev',
cognitoUserPoolId: <secure credential>,
cognitoClientId: <secure credential>
}
导出常量环境={
制作:假,,
envName:'dev',
cognitoUserPoolId:,
认知客户端:
}
import { environment } from '<your folder path>/environments/environment';
export const CONFIG = {
UserPoolId: environment.cognitoUserPoolId,
ClientId: environment.cognitoClientId,
}
从'/environments/environment'导入{environment};
导出常量配置={
UserPoolId:environment.cognitoUserPoolId,
ClientId:environment.cognitoClientId,
}
Amplify.configure({
Auth: {
region: 'us-east-1',
userPoolId: '<my user pool id was here. Seems insecure>',
userPoolWebClientId: '<my user pool id was here. Seems insecure>',
mandatorySignIn: false,
oauth: {
domain: 'mysite.auth.us-east-1.amazoncognito.com',
scope: ['email', 'profile', 'openid'],
redirectSignIn: 'http://localhost:4200/',
redirectSignOut: 'http://localhost:4200/',
responseType: 'code'
}
}
});
const POOL_DATA = {
UserPoolId: '<my user pool id was here. Seems insecure>',
ClientId: '<my client id was here. Seems insecure>'
};
const userPool = new CognitoUserPool(POOL_DATA);
...
import { CONFIG } from '<your folder path>/config';
Amplify.configure({
Auth: {
region: 'us-east-1',
userPoolId: CONFIG.UserPoolId,
userPoolWebClientId: CONFIG.ClientId,
mandatorySignIn: false
}
});
从'/CONFIG'导入{CONFIG};
放大({
认证:{
地区:'us-east-1',
userPoolId:CONFIG.userPoolId,
userPoolWebClientId:CONFIG.ClientId,
mandatorySignIn:错
}
});
这样,凭证就不会暴露于外部世界。希望这是有意义的。您有权质疑您在前端输入的所有内容,但这些ID并不敏感。如果我想通过您的应用程序的身份验证,我仍然需要向您选择的身份提供商之一证明我的身份声明 想想其他web应用程序的实现。您可以让后端REST端点接受包含身份验证凭据的post请求。事实上,我可以看到javascript代码并提取登录端点的url,这并不意味着它不安全 使用授权控制保护后端的敏感数据。然后,您应该(相对地)安全地假设,虽然每个人都可以加载前端代码资源,但他们对后端资源的任何请求都将被拒绝,除非具有适当的有效令牌
这会更详细。您有权质疑您在前端输入的所有内容,但这些ID并不敏感。如果我想通过您的应用程序的身份验证,我仍然需要向您选择的身份提供商之一证明我的身份声明 想想其他web应用程序的实现。您可以让后端REST端点接受包含身份验证凭据的post请求。事实上,我可以看到javascript代码并提取登录端点的url,这并不意味着它不安全 使用授权控制保护后端的敏感数据。然后,您应该(相对地)安全地假设,虽然每个人都可以加载前端代码资源,但他们对后端资源的任何请求都将被拒绝,除非具有适当的有效令牌 这将涉及更多细节