问题描述

为了获得更好的安全性，我想将所有Web应用程序用户转移到aws cognito.是否可以将用户数据从mongodb迁移到cognito，这样我的所有客户都可以使用相同的旧密码登录?还是在迁移后必须更改密码?

For better security I would like to move all of my web application users to aws cognito. Is it possible to migrate the user data from mongodb to cognito in such a way that all my customers can login with their same old password ? Or is it mandated to change the password after migration ?

A rough user table is below:
name:
email:
hash_password:
salt:

hash_password和salt是字符串，可能必须将其导出到csv，然后上载到cognito.但是我在cognito中看不到任何此类选项.

The hash_password and salt are strings which may have to be exported to a csv and then uploaded to cognito. But I do not see any such options in cognito.

我有数百个用户，并且我不想在所有用户上强制更改密码.我检查了aws文档，他们没有提及有关从mongodb进行迁移的任何内容.如果可以的话，请让我，如果可以的话，如何实现?

I have hundreds of Users and I do not want to force change password on all of them. I have checked the aws docs and they do not mention anything about migration from mongodb. Please let me if it is possible and if it is then how can it be achieved ?

推荐答案

有几种方法可以实现，

1. 您使用prepare .CSV文件并将其导入到aws cognito用户池中.导入过程将设置所有用户属性(密码除外). Cognito中的用户状态将为RESET_REQUIRED. Cognito强制重置密码.

1. You use prepare .CSV file and import it in aws cognito user pool. Import process sets all user attributes except password. User's status in cognito will be RESET_REQUIRED. Cognito force to reset password.

否则，您可以编写一个脚本，该脚本将按照以下步骤将mongodb中的所有用户添加到cognito中，

Otherwise, you can write one script that will add all users from mongodb to cognito in following steps,

使用: AdminCreateUser

1. 使用AWS管理控制台或调用AdminCreateUser API创建新的用户配置文件.指定临时密码(将是您在mongodb中的用户密码)，或允许Amazon Cognito自动生成一个.

1. Create a new user profile by using the AWS Management Console or by calling the AdminCreateUser API.Specify the temporary password(will be your user's password in mongodb) or allow Amazon Cognito to automatically generate one.

指定是否将提供的电子邮件地址和电话号码标记为已为新用户验证.通过AWS管理控制台为新用户指定自定义SMS和电子邮件邀请消息.

Specify whether provided email addresses and phone numbers are marked as verified for new users.Specify custom SMS and email invitation messages for new users via the AWS Management Console.

指定邀请消息是通过短信，电子邮件还是通过两者发送.

Specify whether invitation messages are sent via SMS, email, or both.

成功创建用户后，

1. 使用相同的用户凭据对用户进行身份验证 使用:SDK调用InitiateAuth(Username，USER_SRP_AUTH)

1. authenticate user using same user credentials Use: SDK calls InitiateAuth(Username, USER_SRP_AUTH)

在成功完成initateAuth之后，亚马逊Cognito会用Salt和amp; amp;返回PASSWORD_VERIFIER挑战.秘密区.

After success of initateAuth, amazon Cognito returns the PASSWORD_VERIFIER challenge with Salt & Secret block.

使用RespondToAuthChallenge(Username，，PASSWORD_VERIFIER

Use RespondToAuthChallenge(Username, , PASSWORD_VERIFIER

Amazon Cognito返回NEW_PASSWORD_REQUIRED挑战以及当前和必需的属性.

Amazon Cognito returns the NEW_PASSWORD_REQUIRED challenge along with the current and required attributes.

系统会提示用户，并输入新密码和必需属性的所有缺失值.

The user is prompted and enters a new password and any missing values for required attributes.

致电RespondToAuthChallenge(Username，，).

Call RespondToAuthChallenge(Username, , ).

成功更改密码后，用户可以使用在mongodb中添加的相同凭据登录.

After successful password change user can be able to login using same credentials added in mongodb.

注意:但是存在问题，如果您无法从mongodb解密用户凭据，那么第二种解决方案将无法工作.

Note: but there is problem, if you are not able to decrypt user credentials from mongodb then 2nd solution will not work.

-  In that case, you can specify the temporary password
(will  allow Amazon Cognito to automatically generate one.).

- all user users will be forced to change their password only at first login.

参考:

如果您想知道如何编写CSV并将其导入到cognito中，请检查此链接， https: //docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool-csv-header.html

If you want to know how to write CSV and import it in cognito then check this link,https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-using-import-tool-csv-header.html

这篇关于用户可以从我的mongodb数据库迁移到AWS Cognito用户池吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！