本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
# `InitiateAuth` 搭配 AWS SDK 或 CLI 使用
下列程式碼範例示範如何使用 `InitiateAuth`。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
+ [使用 Lambda 函數自動確認已知使用者](cognito-identity-provider_example_cross_CognitoAutoConfirmUser_section.md)
+ [使用 Lambda 函數自動遷移已知使用者](cognito-identity-provider_example_cross_CognitoAutoMigrateUser_section.md)
+ [Amazon Cognito 使用者集區入門](cognito-identity-provider_example_cognito_identity_provider_GettingStarted_066_section.md)
+ [使用需要 MFA 的使用者集區註冊使用者](cognito-identity-provider_example_cognito-identity-provider_Scenario_SignUpUserWithMfa_section.md)
+ [進行 Amazon Cognito 使用者身分驗證後,可使用 Lambda 函數撰寫自訂活動資料](cognito-identity-provider_example_cross_CognitoCustomActivityLog_section.md)
------
#### [ .NET ]
**適用於 .NET 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/Cognito#code-examples)中設定和執行。
```
///
/// Initiate authorization.
///
/// The client Id of the application.
/// The name of the user who is authenticating.
/// The password for the user who is authenticating.
/// The response from the initiate auth request.
public async Task InitiateAuthAsync(string clientId, string userName, string password)
{
var authParameters = new Dictionary();
authParameters.Add("USERNAME", userName);
authParameters.Add("PASSWORD", password);
var authRequest = new InitiateAuthRequest
{
ClientId = clientId,
AuthParameters = authParameters,
AuthFlow = AuthFlowType.USER_PASSWORD_AUTH,
};
var response = await _cognitoService.InitiateAuthAsync(authRequest);
Console.WriteLine($"Result Challenge is : {response.ChallengeName}");
return response;
}
```
+ 如需 API 詳細資訊,請參閱《適用於 .NET 的 AWS SDK API 參考》**中的 [InitiateAuth](https://docs.aws.amazon.com/goto/DotNetSDKV3/cognito-idp-2016-04-18/InitiateAuth)。
------
#### [ CLI ]
**AWS CLI**
**讓使用者登入**
下列 `initiate-auth` 範例使用基本的使用者名稱密碼流程讓使用者登入,沒有額外的難題。
```
aws cognito-idp initiate-auth \
--auth-flow {{USER_PASSWORD_AUTH}} \
--client-id {{1example23456789}} \
--analytics-metadata {{AnalyticsEndpointId=d70b2ba36a8c4dc5a04a0451aEXAMPLE}} \
--auth-parameters {{USERNAME=testuser,PASSWORD=[Password]}} --user-context-data {{EncodedData=mycontextdata}} --client-metadata {{MyTestKey=MyTestValue}}
```
輸出:
```
{
"AuthenticationResult": {
"AccessToken": "eyJra456defEXAMPLE",
"ExpiresIn": 3600,
"TokenType": "Bearer",
"RefreshToken": "eyJra123abcEXAMPLE",
"IdToken": "eyJra789ghiEXAMPLE",
"NewDeviceMetadata": {
"DeviceKey": "us-west-2_a1b2c3d4-5678-90ab-cdef-EXAMPLE11111",
"DeviceGroupKey": "-v7w9UcY6"
}
}
}
```
如需詳細資訊,請參閱《*Amazon Cognito 開發人員指南*》中的[身分驗證](https://docs.aws.amazon.com/cognito/latest/developerguide/authentication.html)。
+ 如需 API 詳細資訊,請參閱《AWS CLI 命令參考》**中的 [InitiateAuth](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cognito-idp/initiate-auth.html)。
------
#### [ Go ]
**SDK for Go V2**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/gov2/cognito#code-examples)中設定和執行。
```
import (
"context"
"errors"
"log"
"github.com/aws/aws-sdk-go-v2/aws"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider"
"github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider/types"
)
type CognitoActions struct {
CognitoClient *cognitoidentityprovider.Client
}
// SignIn signs in a user to Amazon Cognito using a username and password authentication flow.
func (actor CognitoActions) SignIn(ctx context.Context, clientId string, userName string, password string) (*types.AuthenticationResultType, error) {
var authResult *types.AuthenticationResultType
output, err := actor.CognitoClient.InitiateAuth(ctx, &cognitoidentityprovider.InitiateAuthInput{
AuthFlow: "USER_PASSWORD_AUTH",
ClientId: aws.String(clientId),
AuthParameters: map[string]string{"USERNAME": userName, "PASSWORD": password},
})
if err != nil {
var resetRequired *types.PasswordResetRequiredException
if errors.As(err, &resetRequired) {
log.Println(*resetRequired.Message)
} else {
log.Printf("Couldn't sign in user %v. Here's why: %v\n", userName, err)
}
} else {
authResult = output.AuthenticationResult
}
return authResult, err
}
```
+ 如需 API 詳細資訊,請參閱《適用於 Go 的 AWS SDK API 參考》**中的 [InitiateAuth](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider#Client.InitiateAuth)。
------
#### [ JavaScript ]
**適用於 JavaScript (v3) 的 SDK**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/cognito-identity-provider#code-examples)中設定和執行。
```
const initiateAuth = ({ username, password, clientId }) => {
const client = new CognitoIdentityProviderClient({});
const command = new InitiateAuthCommand({
AuthFlow: AuthFlowType.USER_PASSWORD_AUTH,
AuthParameters: {
USERNAME: username,
PASSWORD: password,
},
ClientId: clientId,
});
return client.send(command);
};
```
+ 如需 API 詳細資訊,請參閱《適用於 JavaScript 的 AWS SDK API 參考》**中的 [InitiateAuth](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/cognito-identity-provider/command/InitiateAuthCommand)。
------
#### [ Python ]
**適用於 Python 的 SDK (Boto3)**
GitHub 上提供更多範例。尋找完整範例,並了解如何在 [AWS 程式碼範例儲存庫](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/cognito#code-examples)中設定和執行。
此範例示範如何使用追蹤的裝置開始進行身分驗證。若要完成登入,用戶端必須正確回應「安全遠端密碼」(SRP) 挑戰。
```
class CognitoIdentityProviderWrapper:
"""Encapsulates Amazon Cognito actions"""
def __init__(self, cognito_idp_client, user_pool_id, client_id, client_secret=None):
"""
:param cognito_idp_client: A Boto3 Amazon Cognito Identity Provider client.
:param user_pool_id: The ID of an existing Amazon Cognito user pool.
:param client_id: The ID of a client application registered with the user pool.
:param client_secret: The client secret, if the client has a secret.
"""
self.cognito_idp_client = cognito_idp_client
self.user_pool_id = user_pool_id
self.client_id = client_id
self.client_secret = client_secret
def sign_in_with_tracked_device(
self,
user_name,
password,
device_key,
device_group_key,
device_password,
aws_srp,
):
"""
Signs in to Amazon Cognito as a user who has a tracked device. Signing in
with a tracked device lets a user sign in without entering a new MFA code.
Signing in with a tracked device requires that the client respond to the SRP
protocol. The scenario associated with this example uses the warrant package
to help with SRP calculations.
For more information on SRP, see https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol.
:param user_name: The user that is associated with the device.
:param password: The user's password.
:param device_key: The key of a tracked device.
:param device_group_key: The group key of a tracked device.
:param device_password: The password that is associated with the device.
:param aws_srp: A class that helps with SRP calculations. The scenario
associated with this example uses the warrant package.
:return: The result of the authentication. When successful, this contains an
access token for the user.
"""
try:
srp_helper = aws_srp.AWSSRP(
username=user_name,
password=device_password,
pool_id="_",
client_id=self.client_id,
client_secret=None,
client=self.cognito_idp_client,
)
response_init = self.cognito_idp_client.initiate_auth(
ClientId=self.client_id,
AuthFlow="USER_PASSWORD_AUTH",
AuthParameters={
"USERNAME": user_name,
"PASSWORD": password,
"DEVICE_KEY": device_key,
},
)
if response_init["ChallengeName"] != "DEVICE_SRP_AUTH":
raise RuntimeError(
f"Expected DEVICE_SRP_AUTH challenge but got {response_init['ChallengeName']}."
)
auth_params = srp_helper.get_auth_params()
auth_params["DEVICE_KEY"] = device_key
response_auth = self.cognito_idp_client.respond_to_auth_challenge(
ClientId=self.client_id,
ChallengeName="DEVICE_SRP_AUTH",
ChallengeResponses=auth_params,
)
if response_auth["ChallengeName"] != "DEVICE_PASSWORD_VERIFIER":
raise RuntimeError(
f"Expected DEVICE_PASSWORD_VERIFIER challenge but got "
f"{response_init['ChallengeName']}."
)
challenge_params = response_auth["ChallengeParameters"]
challenge_params["USER_ID_FOR_SRP"] = device_group_key + device_key
cr = srp_helper.process_challenge(challenge_params, {"USERNAME": user_name})
cr["USERNAME"] = user_name
cr["DEVICE_KEY"] = device_key
response_verifier = self.cognito_idp_client.respond_to_auth_challenge(
ClientId=self.client_id,
ChallengeName="DEVICE_PASSWORD_VERIFIER",
ChallengeResponses=cr,
)
auth_tokens = response_verifier["AuthenticationResult"]
except ClientError as err:
logger.error(
"Couldn't start client sign in for %s. Here's why: %s: %s",
user_name,
err.response["Error"]["Code"],
err.response["Error"]["Message"],
)
raise
else:
return auth_tokens
```
+ 如需 API 詳細資訊,請參閱《AWS SDK for Python (Boto3) API 參考》**中的 [InitiateAuth](https://docs.aws.amazon.com/goto/boto3/cognito-idp-2016-04-18/InitiateAuth)。
------
如需 AWS SDK 開發人員指南和程式碼範例的完整清單,請參閱 [搭配 AWS SDK 使用此服務](sdk-general-information-section.md)。此主題也包含有關入門的資訊和舊版 SDK 的詳細資訊。