本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # `RespondToAuthChallenge`与 AWS SDK 或 CLI 配合使用 以下代码示例演示如何使用 `RespondToAuthChallenge`。 操作示例是大型程序的代码摘录,必须在上下文中运行。在以下代码示例中,您可以查看此操作的上下文: + [向需要 MFA 的用户池注册用户](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md) ------ #### [ CLI ] **AWS CLI** **示例 1:响应 NEW\$1PASSWORD\$1REQUIRED 质询** 以下 `respond-to-auth-challenge` 示例响应了 initiate-auth 返回的 NEW\$1PASSWORD\$1REQUIRED 质询。它为用户 `jane@example.com` 设置密码。 ``` aws cognito-idp respond-to-auth-challenge \ --client-id 1example23456789 \ --challenge-name NEW_PASSWORD_REQUIRED \ --challenge-responses USERNAME=jane@example.com,NEW_PASSWORD=[Password] \ --session AYABeEv5HklEXAMPLE ``` 输出: ``` { "ChallengeParameters": {}, "AuthenticationResult": { "AccessToken": "ACCESS_TOKEN", "ExpiresIn": 3600, "TokenType": "Bearer", "RefreshToken": "REFRESH_TOKEN", "IdToken": "ID_TOKEN", "NewDeviceMetadata": { "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "DeviceGroupKey": "-wt2ha1Zd" } } } ``` 有关更多信息,请参阅《Amazon Cognito Developer Guide》**中的 [Authentication](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html)。 **示例 2:响应 SELECT\$1MFA\$1TYPE 质询** 以下 `respond-to-auth-challenge` 示例选择 TOTP MFA 作为当前用户的 MFA 选项。系统会提示用户选择 MFA 类型,接下来将提示用户输入其 MFA 代码。 ``` aws cognito-idp respond-to-auth-challenge \ --client-id 1example23456789 --session AYABeEv5HklEXAMPLE --challenge-name SELECT_MFA_TYPE --challenge-responses USERNAME=testuser,ANSWER=SOFTWARE_TOKEN_MFA ``` 输出: ``` { "ChallengeName": "SOFTWARE_TOKEN_MFA", "Session": "AYABeEv5HklEXAMPLE", "ChallengeParameters": { "FRIENDLY_DEVICE_NAME": "transparent" } } ``` 有关更多信息,请参阅《Amazon Cognito Developer Guide》**中的 [Adding MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html)。 **示例 3:响应 SOFTWARE\$1TOKEN\$1MFA 质询** 以下 `respond-to-auth-challenge` 示例提供 TOTP MFA 代码并完成登录。 ``` aws cognito-idp respond-to-auth-challenge \ --client-id 1example23456789 \ --session AYABeEv5HklEXAMPLE \ --challenge-name SOFTWARE_TOKEN_MFA \ --challenge-responses USERNAME=testuser,SOFTWARE_TOKEN_MFA_CODE=123456 ``` 输出: ``` { "AuthenticationResult": { "AccessToken": "eyJra456defEXAMPLE", "ExpiresIn": 3600, "TokenType": "Bearer", "RefreshToken": "eyJra123abcEXAMPLE", "IdToken": "eyJra789ghiEXAMPLE", "NewDeviceMetadata": { "DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "DeviceGroupKey": "-v7w9UcY6" } } } ``` 有关更多信息,请参阅《Amazon Cognito Developer Guide》**中的 [Adding MFA](https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-mfa.html)。 + 有关 API 的详细信息,请参阅*AWS CLI 命令参考[RespondToAuthChallenge](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/respond-to-auth-challenge.html)*中的。 ------ #### [ JavaScript ] **适用于 JavaScript (v3) 的软件开发工具包** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中查找完整示例,了解如何进行设置和运行。 ``` const respondToAuthChallenge = ({ clientId, username, session, userPoolId, code, }) => { const client = new CognitoIdentityProviderClient({}); const command = new RespondToAuthChallengeCommand({ ChallengeName: ChallengeNameType.SOFTWARE_TOKEN_MFA, ChallengeResponses: { SOFTWARE_TOKEN_MFA_CODE: code, USERNAME: username, }, ClientId: clientId, UserPoolId: userPoolId, Session: session, }); return client.send(command); }; ``` + 有关 API 的详细信息,请参阅 *适用于 JavaScript 的 AWS SDK API 参考[RespondToAuthChallenge](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/RespondToAuthChallengeCommand)*中的。 ------ #### [ Python ] **适用于 Python 的 SDK(Boto3)** 还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中查找完整示例,了解如何进行设置和运行。 登录跟踪的设备。要完成登录,客户端必须正确响应安全远程密码 (SRP) 质询。 ``` class CognitoIdentityProviderWrapper: """Encapsulates Amazon Cognito actions""" def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None): """ :param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client. :param user_pool_id: The ID of an existing Amazon Cognito user pool. :param client_id: The ID of a client application registered with the user pool. :param client_secret: The client secret, if the client has a secret. """ self.cognito_idp_client = cognito_idp_client self.user_pool_id = user_pool_id self.client_id = client_id self.client_secret = client_secret def sign_in_with_tracked_device( self, user_name, password, device_key, device_group_key, device_password, aws_srp, ): """ Signs in to Amazon Cognito as a user who has a tracked device. Signing in with a tracked device lets a user sign in without entering a new MFA code. Signing in with a tracked device requires that the client respond to the SRP protocol. The scenario associated with this example uses the warrant package to help with SRP calculations. For more information on SRP, see https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol. :param user_name: The user that is associated with the device. :param password: The user's password. :param device_key: The key of a tracked device. :param device_group_key: The group key of a tracked device. :param device_password: The password that is associated with the device. :param aws_srp: A class that helps with SRP calculations. The scenario associated with this example uses the warrant package. :return: The result of the authentication. When successful, this contains an access token for the user. """ try: srp_helper = aws_srp.AWSSRP( username=user_name, password=device_password, pool_id="_", client_id=self.client_id, client_secret=None, client=self.cognito_idp_client, ) response_init = self.cognito_idp_client.initiate_auth( ClientId=self.client_id, AuthFlow="USER_PASSWORD_AUTH", AuthParameters={ "USERNAME": user_name, "PASSWORD": password, "DEVICE_KEY": device_key, }, ) if response_init["ChallengeName"] != "DEVICE_SRP_AUTH": raise RuntimeError( f"Expected DEVICE_SRP_AUTH challenge but got {response_init['ChallengeName']}." ) auth_params = srp_helper.get_auth_params() auth_params["DEVICE_KEY"] = device_key response_auth = self.cognito_idp_client.respond_to_auth_challenge( ClientId=self.client_id, ChallengeName="DEVICE_SRP_AUTH", ChallengeResponses=auth_params, ) if response_auth["ChallengeName"] != "DEVICE_PASSWORD_VERIFIER": raise RuntimeError( f"Expected DEVICE_PASSWORD_VERIFIER challenge but got " f"{response_init['ChallengeName']}." ) challenge_params = response_auth["ChallengeParameters"] challenge_params["USER_ID_FOR_SRP"] = device_group_key + device_key cr = srp_helper.process_challenge(challenge_params, {"USERNAME": user_name}) cr["USERNAME"] = user_name cr["DEVICE_KEY"] = device_key response_verifier = self.cognito_idp_client.respond_to_auth_challenge( ClientId=self.client_id, ChallengeName="DEVICE_PASSWORD_VERIFIER", ChallengeResponses=cr, ) auth_tokens = response_verifier["AuthenticationResult"] except ClientError as err: logger.error( "Couldn't start client sign in for %s. Here's why: %s: %s", user_name, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: return auth_tokens ``` + 有关 API 的详细信息,请参阅适用[RespondToAuthChallenge](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/RespondToAuthChallenge)于 *Python 的AWS SDK (Boto3) API 参考*。 ------ 有关 S AWS DK 开发者指南和代码示例的完整列表,请参阅[将此服务与 AWS SDK 配合使用](sdk-general-information-section.md)。本主题还包括有关入门的信息以及有关先前的 SDK 版本的详细信息。