Laravel縺ァ Amazon Cognito 繝ュ繧ー繧、繝ウ隱崎ィシ1縲舌Ο繧ー繧、繝ウ讖溯ス縲
syun03荳悶ョ荳ュ縺ョ繝ュ繧ー繧、繝ウ讖溯ス縺ョ螟ァ蜊翫r蜊繧√※縺繧軌Auth繧ОIDC縺ョ莉慕オ縺ソ縺ァ縺吶′縲√o縺九▲縺ヲ縺繧九h縺縺ァ繧、繝槭う繝∫炊隗」縺励※縺縺ェ縺縺ェ縺ィ諤昴▲縺ヲ縺翫j縺セ縺励◆縲
譛霑第・ュ蜍吶〒繝ュ繧ー繧、繝ウ讖溯ス縺ォ縺、縺縺ヲ隗ヲ繧後k讖滉シ壹′縺ゅj縲√%繧後r讖溘↓螳滄圀縺ォ螳溯」縺励↑縺後i逅隗」繧呈キア繧√h縺縺ィ諤昴>遶九■縺セ縺励※諠蝣ア繧呈紛逅縺励※縺縺阪∪縺吶
莉雁屓縺ッAWS縺ョ隱崎ィシ繧オ繝シ繝薙せ縺ァ縺ゅkAmazon Cognito繧貞茜逕ィ縺励※螳溯」繧帝イ繧√※縺縺阪∪縺吶
笆繧繧翫◆縺縺薙→
Cognito繧貞茜逕ィ縺励◆繝ュ繧ー繧、繝ウ讖溯ス繧貞ョ溽樟縺吶k
繝ュ繧ー繧、繝ウ讖溯ス繧偵き繧ケ繧ソ繝槭う繧コ縺吶k
Cognito縺ァ縺ョ莨壼藤逋サ骭イ諠蝣ア繧帝」謳コ縺吶k
笆蜿りザRL
https://qiita.com/tomoeine/items/40a966bf3801633cf90f
Laravel縺ァ繝ュ繧ー繧、繝ウ隱崎ィシ繧キ繝ェ繝シ繧コ
- Laravel縺ァ Amazon Cognito 繝ュ繧ー繧、繝ウ隱崎ィシ1縲舌Ο繧ー繧、繝ウ讖溯ス縲代竊舌繧、繝槭さ繧ウ
- Laravel縺ァ Amazon Cognito 繝ュ繧ー繧、繝ウ隱崎ィシ2縲蝉シ壼藤逋サ骭イ讖溯ス縲
- 1. 螳梧千ウサ縺ョ逕サ髱「繝輔Ο繝シ
- 2. Amazon Cognito縺ョ險ュ螳
- 2.1. 繝ヲ繝シ繧カ繝励シ繝ォ縺ョ險ュ螳
- 2.2. 莨壼藤貅門y
- 3. Laravel縺ァ縺ョ繝ュ繧ー繧、繝ウ讖溯ス螳溯」
- 3.1. Laravel縺ァ縺ョ隱崎ィシ讖溯ス縺翫&繧峨>
- 3.1.1. Guard
- 3.1.2. Provider
- 4. シ」onfig繝輔ぃ繧、繝ォ縺ョ險ュ螳
- 5. cognito騾」謳コ
- 5.1.1. 繝昴う繝ウ繝医Http::asForm()
- 6. jwt讀懆ィシ逕ィ繧ッ繝ゥ繧ケ菴懈
- 7. Guard縺ョ菴懈
- 7.1. Cognito繧貞茜逕ィ縺吶kGuard縺ョ菴懈
- 8. 繧オ繝シ繝薙せ繝励Ο繝舌う繝縺ョ險ュ螳
- 8.1. CognitoGuard縺ョ蜻シ縺ウ蜃コ縺
- 9. controller縺ョ螳溯」
- 9.1. index繝。繧ス繝繝
- 9.2. callback繝。繧ス繝繝
- 10. 縺セ縺ィ繧
螳梧千ウサ縺ョ逕サ髱「繝輔Ο繝シ
縺縺上▽縺九d繧頑婿縺ッ縺ゅj縺セ縺吶′縲∽サ雁屓縺ッAmazon Cognito縺ョ繝ュ繧ー繧、繝ウ逕サ髱「繧貞茜逕ィ縺励※螳溽樟縺吶k譁ケ豕輔〒縺吶
Laravel縺九iAmazon Cognito縺ァ逕ィ諢上&繧後※縺繧玖ェ榊庄繧ィ繝ウ繝峨昴う繝ウ繝医∈繧「繧ッ繧サ繧ケ縺励∬ェ榊庄繧ウ繝シ繝峨r蜿門セ励@縺セ縺吶
窶サ繝帙せ繝医&繧後◆WEB UIシAWS蛛エ縺ァ貅門y縺輔l縺溘Ο繧ー繧、繝ウ逕サ髱「シ峨r蛻ゥ逕ィ縺励※縺縺セ縺吶ゅ%縺ョ逕サ髱「縺ッ譌・譛ャ隱槫喧縺ァ縺阪∪縺帙s縲
螟ァ莠九↑縺薙→縺ェ縺ョ縺ァ繧ゅ≧荳蠎ヲ險縺縺セ縺吶よ律譛ャ隱槫喧縺ァ縺阪∪縺帙s縲
Amazon Cognito縺ョ險ュ螳
Cognito縺ォ縺ッ縲後Θ繝シ繧カ繝励シ繝ォ縲阪→縲栗D繝励シ繝ォ縲阪→縺縺シ偵▽縺ョ邂。逅縺後≠繧翫∪縺吶ゅ◎繧後◇繧後ョ驕輔>縺ッ荳玖ィ倥ョ騾壹j縺ァ縺吶ゆサ雁屓縺ッ荳闊ャ繝ヲ繝シ繧カ蜷代¢縺ェ縺ョ縺ァ縲後Θ繝シ繧カ繝励シ繝ォ縲阪r蛻ゥ逕ィ縺励∪縺吶
- 繝ヲ繝シ繧カ繝励シ繝ォシ壻シ壼藤繧オ繧、繝医↑縺ゥ縺ァ繝ヲ繝シ繧カ縺ョ繧「繧ォ繧ヲ繝ウ繝医r邂。逅縺吶k蝣エ蜷医↓蛻ゥ逕ィ
- ID繝励シ繝ォシ夂オ郢斐ョ繧「繧ォ繧ヲ繝ウ繝育ョ。逅縺ェ縺ゥ縺ォ蛻ゥ逕ィ
繝ヲ繝シ繧カ繝励シ繝ォ縺ョ險ュ螳
莉雁屓縺ッ繧ケ繝繝繝励↓蠕薙▲縺ヲ邏ー縺九¥險ュ螳壹@縺ヲ縺縺阪∪縺吶
繝繝輔か繝ォ繝医r遒コ隱阪@縺ェ縺後i騾イ繧√※鬆ゅ>縺ヲ繧ょ撫鬘後#縺悶>縺セ縺帙s縲
縺セ縺壹ッ繝ヲ繝シ繧カ縺ョ繧オ繧、繝ウ繧、繝ウ譁ケ豕輔〒縺吶ゆサ雁屓縺ッ繝。繝シ繝ォ繧「繝峨Ξ繧ケ縺ァ繝ュ繧ー繧、繝ウ縺輔○繧九◆繧√窪繝。繝シ繝ォ縲阪ョ險ュ螳壹r驕ク謚槭@縺セ縺吶
莉悶↓繧ゅΘ繝シ繧カ蜷阪d髮サ隧ア逡ェ蜿キ縺ァ縺ョ險ュ螳壹b蜿ッ閭ス縺ァ縺吶
谺。縺ォ繝代せ繝ッ繝シ繝牙シキ蠎ヲ縺ィ閾ェ蟾ア繧オ繧、繝ウ繧「繝繝励ョ險ュ螳壹〒縺吶
繝代せ繝ッ繝シ繝牙シキ蠎ヲ縺ッ繝繝輔か繝ォ繝医ョ縺セ縺セ縺ァ蝠城。後≠繧翫∪縺帙s縲ゅそ繧ュ繝・繝ェ繝繧」繝昴Μ繧キ繝シ縺ェ縺ゥ縺後≠繧句エ蜷医ッ縲√昴Μ繧キ繝シ縺ォ蠕薙▲縺ヲ險ュ螳壹r縺励∪縺吶
閾ェ蟾ア繧オ繧、繝ウ繧「繝繝励ッ繝繝輔か繝ォ繝医〒險ア蜿ッ縺輔l縺ヲ縺繧九ョ縺ァ縺薙ョ縺セ縺セ逋サ骭イ縺励∪縺吶ゆシ壼藤蛻カ繧オ繧、繝医↑縺ゥ縺ァ邂。逅閠縺ォ縺ョ縺ソ繝ヲ繝シ繧カ菴懈舌ョ讓ゥ髯舌r荳弱∴繧句エ蜷医↓縺ッ險ュ螳壹r螟画峩縺励∪縺吶
螟夊ヲ∫エ隱崎ィシ縺ョ險ュ螳壹〒縺吶Cognito縺ァ縺ッ邁。蜊倥↓螟夊ヲ∫エ隱崎ィシ縺悟ョ溽樟縺ァ縺阪∪縺吶
莉雁屓縺ッ繝ュ繧ー繧、繝ウ隱崎ィシ縺ョ繝繧ケ繝医ョ縺ソ縺ョ縺溘a縲∬ィュ螳壹ッ繧ェ繝輔↓縺励∪縺吶ょセ後°繧芽ィュ螳壹r螟峨∴縺ァ螟夊ヲ∫エ隱崎ィシ繧貞茜逕ィ縺吶k縺薙→繧ょ庄閭ス縺ァ縺吶
縺薙■繧峨ッ繝。繝シ繝ォ繧「繝峨Ξ繧ケ讀懆ィシ縺ョ繝。繝シ繝ォ騾∽ソ。譎ゅョ險ュ螳壹〒縺吶Grom繝。繝シ繝ォ繧「繝峨Ξ繧ケ繧貞、画峩縺吶k縺薙→縺後〒縺阪∪縺吶
Amazon SES繧堤オ檎罰縺励※繝。繝シ繝ォ繧帝∽ソ。縺吶k縺薙→縺後〒縺阪∪縺吶′縲∽サ雁屓縺ッ蛻ゥ逕ィ縺励※縺翫j縺セ縺帙s縲
繧ュ繝」繝励メ繝」縺励″繧後※縺翫j縺セ縺帙s縺後騾∽ソ。縺吶k繝。繝シ繝ォ譛ャ譁縺ョ繧ォ繧ケ繧ソ繝槭う繧コ縺ェ縺ゥ繧ゅ%縺。繧峨ョ險ュ螳壹〒蜿ッ閭ス縺ァ縺吶
繧「繝励Μ繧ッ繝ゥ繧、繧「繝ウ繝医ョ險ュ螳壹〒縺吶ゅい繝励Μ繧ッ繝ゥ繧、繧「繝ウ繝亥錐縺ッ繝ュ繧ー繧、繝ウ讖溯ス繧貞ョ溯」縺吶k髫帙↓繧ウ繝シ繝峨→縺励※蛻ゥ逕ィ縺励∪縺吶
縺昴ョ莉悶ョ險ュ螳壹ッ繝繝輔か繝ォ繝医ョ縺セ縺セ縺ァ繧ょ撫鬘後#縺悶>縺セ縺帙s縲
莉雁屓縺ッ隱崎ィシ繝輔Ο繝シ縺ィ縺励※譖エ譁ー繝医シ繧ッ繝ウ繝吶シ繧ケ縺ョ隱崎ィシ繧貞茜逕ィ縺励∪縺吶ゅョ繝輔か繝ォ繝医〒繝√ぉ繝繧ッ貂医∩縺ァ縺吶
莉悶↓繧ゅョ繝輔か繝ォ繝医〒繝√ぉ繝繧ッ縺輔l縺ヲ縺繧九b縺ョ縺後≠繧翫∪縺吶′縲∽サ雁屓縺ョ繝輔Ο繝シ縺ァ縺ッ蛻ゥ逕ィ縺励↑縺縺ョ縺ァ螟悶@縺ヲ繧ょ撫鬘後#縺悶>縺セ縺帙s縲
縺薙l縺ァCognito縺ョ險ュ螳壹ッ螳御コ縺ァ縺吶
莨壼藤貅門y
險ュ螳壹′螳御コ縺励◆繧峨∝医↓讀懆ィシ逕ィ縺ョ繝ヲ繝シ繧カ繧剃ス懈舌@縺ヲ縺翫″縺セ縺吶ゅ%縺ョ繝ヲ繝シ繧カ縺ァLaravel縺ィCognito縺ョ隱崎ィシ騾」謳コ縺ョ讀懆ィシ繧定。後>縺セ縺吶
莨壼藤逋サ骭イ縺ッ縲後Θ繝シ繧カ縺ィ繧ー繝ォ繝シ繝励阪ョ險ュ螳壹°繧芽。後>縺セ縺吶
繝ヲ繝シ繧カ縺ョ菴懈舌°繧蛾イ繧薙〒縺縺上→縲∽ク玖ィ倥ョ逕サ髱「縺瑚。ィ遉コ縺輔l縺セ縺吶ゆサ雁屓縺ッ繝。繝シ繝ォ繧「繝峨Ξ繧ケ縺ィ繝代せ繝ッ繝シ繝峨ョ縺ソ縺ァ繝ュ繧ー繧、繝ウ縺ァ縺阪k繧医≧縺ォ縺吶k縺溘a縲髮サ隧ア逡ェ蜿キ縺ョ蜈・蜉帙ッ荳崎ヲ√〒縺吶
繝ヲ繝シ繧カ蜷阪b蛻ゥ逕ィ縺励↑縺縺ョ縺ァ縺ィ繧翫≠縺医★繝。繝シ繝ォ繧「繝峨Ξ繧ケ繧貞・繧後※縺翫¢縺ー螟ァ荳亥、ォ縺ァ縺吶
繝。繝シ繝ォ繧「繝峨Ξ繧ケ縺ョ驥崎、繝√ぉ繝繧ッ縺ッ繝繝輔か繝ォ繝医〒螳滓命縺輔l縺ヲ縺縺セ縺
繝ヲ繝シ繧カ縺ョ菴懈舌r謚シ荳九☆繧九→繝。繝シ繝ォ繧「繝峨Ξ繧ケ縺ォ讀懆ィシ繧ウ繝シ繝峨′騾∽サ倥&繧後∪縺吶ョ縺ァ縲√さ繝シ繝峨r蜈・蜉帙@縺ヲ隱崎ィシ繧定。後>縺セ縺吶
縲窪繧√シ繧九≠縺ゥ繧後☆繧呈、懆ィシ貂医∩縺ォ縺励∪縺吶°シ溘阪ョ繝√ぉ繝繧ッ繧貞・繧後※縺翫¥縺ィ縺薙ョ菴懈・ュ縺ッ荳崎ヲ√↓縺ェ繧翫∪縺吶
縺薙l縺ァ讀懆ィシ逕ィ繧「繧ォ繧ヲ繝ウ繝医ョ貅門y繧ょョ御コ縺励∪縺励◆縲
縺薙ョ蠕後ョ繝ュ繧ー繧、繝ウ讖溯ス縺ョ讀懆ィシ縺ァ蛻ゥ逕ィ縺励∪縺吶ョ縺ァ縲√ヱ繧ケ繝ッ繝シ繝峨r蠢倥l縺ェ縺繧医≧縺ォ謗ァ縺医※縺翫″縺セ縺励g縺縲
Laravel縺ァ縺ョ繝ュ繧ー繧、繝ウ讖溯ス螳溯」
Laravel縺ァ縺ッ隱崎ィシ髢「騾」縺ョ讖溯ス縺御ク騾壹j逕ィ諢上&繧後※縺縺セ縺吶ゆサ雁屓縺ョ讀懆ィシ繧ゅ%縺ョ讖溯ス繧偵吶シ繧ケ縺ォ蛻ゥ逕ィ縺励※縺縺阪∪縺吶
php artisan make:auth
縺薙l縺ァ隱崎ィシ讖溯ス繧剃スソ縺貅門y縺後〒縺阪∪縺励◆縲
Controller繧逕サ髱「view縺ェ縺ゥ荳騾壹j縺ョ繧ス繝シ繧ケ縺御ス懈舌&繧後※縺縺セ縺吶
Laravel縺ァ縺ョ隱崎ィシ讖溯ス縺翫&繧峨>
螳溯」繧貞ァ九a繧九↓Laravel縺ァ縺ョ繝ュ繧ー繧、繝ウ讖溯ス繧偵♀縺輔i縺縺縺溘@縺セ縺吶
繝昴う繝ウ繝医ッ2轤ケ
Guard
隱崎ィシ縺ォ縺九°繧上k繝ヲ繝シ繧ケ繧ア繝シ繧ケ繧隱崎ィシ譁ケ豕輔′螳夂セゥ縺輔l縺ヲ縺縺セ縺吶
隱崎ィシ縺ョ譁ケ豕輔#縺ィ縺ォ繧ッ繝ゥ繧ケ縺梧コ門y縺輔l縺ヲ縺翫j縲√h縺丈スソ縺縺ョ縺ッ SessionGuard 縺ィ縺縺繧ッ繝ゥ繧ケ縺ァ縺吶
src/Illuminate/Auth/SessionGuard.php
螟壽焚縺ョ蜃ヲ逅縺瑚ィ倩ソー縺輔l縺ヲ縺縺セ縺吶′縲驥崎ヲ√↑繝。繧ス繝繝峨□縺代ヴ繝繧ッ繧「繝繝励@縺ヲ隗」隱ャ縺励∪縺吶
| 繝。繧ス繝繝 | 隗」隱ャ |
|---|---|
| attempt | 隱崎ィシ諠蝣ア繧偵ヱ繝ゥ繝。繝シ繧ソ縺ィ縺励※蜿励¢蜿悶j隱崎ィシ繧定ゥヲ縺ソ縺セ縺吶りェ崎ィシ縺ォ繧医j繧「繧ォ繧ヲ繝ウ繝医r迚ケ螳壹☆繧句ヲ逅縺ッ蠕瑚ソー縺ョProvider縺瑚。後>縺セ縺吶 隱崎ィシ蟇セ雎。縺ョ繝ヲ繝シ繧カ繧堤音螳壹@縺溘≠縺ィ縲∬ェ崎ィシ蠕悟ヲ逅縺ッ login 繝。繧ス繝繝峨r蜻シ縺ウ蜃コ縺励∪縺吶 |
| login | 繝ヲ繝シ繧カ諠蝣ア繧貞女縺大叙繧願ェ崎ィシ蠕後ョ蜃ヲ逅繧定。後>縺セ縺吶ょキ菴鍋噪縺ォ縺ッ繧サ繝繧キ繝ァ繝ウ繧貞シオ繧翫Ο繧ー繧、繝ウ迥カ諷九r邯ュ謖√〒縺阪k繧医≧縺ォ縺励∪縺吶 |
| user | 繝ュ繧ー繧、繝ウ貂医∩縺ョ繝ヲ繝シ繧カ諠蝣ア繧貞叙蠕励@縺セ縺吶Guard繧、繝ウ繧ケ繧ソ繝ウ繧ケ縺九i繝ヲ繝シ繧カ諠蝣ア縺悟叙蠕励〒縺阪↑縺九▲縺溷エ蜷医ッ縲√そ繝繧キ繝ァ繝ウ縺九i縺ョ蜿門セ励r隧ヲ縺ソ縺セ縺吶 繝ュ繧ー繧、繝ウ縺悟ソ隕√↑繝壹シ繧ク縺ォ繧「繧ッ繧サ繧ケ縺励◆髫帙↑縺ゥ縺ォ蜻シ縺ー繧後※縺繧九h縺縺ァ縺吶 |
Provider
隱崎ィシ縺ョ繝。繧、繝ウ蜃ヲ逅縺瑚ィ倩ソー縺輔l縺ヲ縺縺セ縺吶Laravel隱崎ィシ縺ョ蠢閾馴Κ縺ァ縺吶
src/Illuminate/Auth/EloquentUserProvider.php
縺薙ョ蜀驛ィ蜃ヲ逅繧堤「コ隱阪☆繧九%縺ィ縺ッ縺サ縺ィ繧薙←縺ェ縺縺ィ諤昴>縺セ縺吶ョ縺ァ縲∬ェャ譏弱ッ蜑イ諢帙@縺セ縺吶
蜿り繧オ繧、繝
https://qiita.com/tomoeine/items/40a966bf3801633cf90f
シ」onfig繝輔ぃ繧、繝ォ縺ョ險ュ螳
螳溯」繧定。後▲縺ヲ縺縺丞燕縺ォGuard縺ィProvider縺慶onfig繝輔ぃ繧、繝ォ荳翫ョ縺ゥ縺薙〒險ュ螳壹&繧後※縺繧九°遒コ隱阪サ螟画峩縺励※縺縺阪∪縺吶
險ュ螳壹′險倩シ峨&繧後※縺繧九ョ縺ッconfig繝繧」繝ャ繧ッ繝医Μ縺ョauth.php縺ォ縺ェ繧翫∪縺吶
'defaults' => [
'guard' => 'web',
'passwords' => 'users',
],
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
],
繝繝輔か繝ォ繝医〒蛻ゥ逕ィ縺吶kGuard縺梧欠螳壹&繧後;uard縺ョ荳ュ縺ァ蛻ゥ逕ィ縺吶kdriver縺ィprovider縺梧欠螳壹&繧後※縺縺セ縺吶
莉雁屓縺ッ縺薙%縺ォ譁ー縺溘↓cognito縺ィ縺縺Guard繧定ソス蜉縺励※縺縺阪∪縺吶
'defaults' => [
'guard' => 'web',
'passwords' => 'users',
],
'guards' => [
'web' => [
'driver' => 'session',
'provider' => 'users',
],
'cognito' => [
'driver' => 'cognito',
'provider' => 'users',
'hash' => false,
],
],
driver縺ョ險ュ螳壹ッGuard縺ョ蜷咲ァー縺ョ繧医≧縺ェ繧ゅョ縺ァ縺吶Guard縺ョ繧ォ繧ケ繧ソ繝繧ッ繝ゥ繧ケ繧剃ス懈舌☆繧矩圀縺ォ縲慧river縺ョ蜷咲ァー縲+縲隈uard縲阪→縺縺繧ッ繝ゥ繧ケ蜷阪↓縺吶k蠢隕√′縺ゅj縺セ縺吶
莉雁屓縺ッcognito縺ィ縺縺driver蜷阪↓縺励※縺繧九ョ縺ァ縲;uard縺ョ繧ォ繧ケ繧ソ繝繧ッ繝ゥ繧ケ縺ッCognitoGuard縺ァ菴懈舌@縺セ縺吶ゅ%縺。繧峨ッ蠕後⊇縺ゥ縲
cognito騾」謳コ
cognito騾」謳コ逕ィ縺ョ繧ッ繝ゥ繧ケ繧剃ス懈舌@縺セ縺吶
蠢隕√↑繧ウ繝ウ繝昴シ繝阪Φ繝医ッSDK繧偵う繝ウ繧ケ繝医シ繝ォ縺励※蛻ゥ逕ィ縺輔○縺ヲ繧ゅi縺縺セ縺吶
composer require aws/aws-sdk-php
Cognito騾」謳コ逕ィ縺ョ繧ッ繝ゥ繧ケ縺ッ縺薙■繧峨↓縺ェ繧翫∪縺吶
<?php
namespace App\Cognito;
use Aws\CognitoIdentity\Exception\CognitoIdentityException;
use Aws\CognitoIdentityProvider\CognitoIdentityProviderClient;
use Illuminate\Support\Facades\Http;
use Illuminate\Support\Facades\Log;
class CognitoClient
{
protected $client;
protected $clientId;
protected $poolId;
protected $authorization;
public function __construct(CognitoIdentityProviderClient $client)
{
$this->client = $client;
$this->clientId = config('cognito.clientId');
$this->poolId = config('cognito.poolId');
$this->authorization = base64_encode(config('cognito.clientId').':'.config('clientId.clientSecret'));
}
public function fetchTokenEndpoint($code,$code_challenge){
try{
$response = Http::asForm()
->contentType('application/x-www-form-urlencoded')
->retry(3, 100)
->post(config('cognito.token_endpoint'), [
'client_id' => $this->getClientId(),
'grant_type' => 'authorization_code',
'code' => $code, // 蠢鬆医隱榊庄繧ィ繝ウ繝峨昴う繝ウ繝医ョ繝ャ繧ケ繝昴Φ繧ケ縺ォ蜷ォ縺セ繧後k蛟、繧呈欠螳
'redirect_uri' => config('cognito.callback_uri'), // 隱榊庄繝ェ繧ッ繧ィ繧ケ繝医↓ redirect_uri 縺悟性縺セ繧後※縺繧後ー蠢鬆
'client_secret' => config('cognito.clientSecret'),
]);
if(!$response->successful()){
throw new \Exception('status code error:'.$response->status());
}
}catch (CognitoIdentityException $e){
return null;
}catch (\Exception $e){
return null;
}
return json_decode($response);
}
public function getClientId(){
return $this->clientId;
}
}
繝昴う繝ウ繝医Http::asForm()
content type繧偵警-www-form-urlencoded縲阪→縺励※繝ェ繧ッ繧ィ繧ケ繝医☆繧句エ蜷医´aravel縺ァ縺ッasForm繧貞茜逕ィ縺吶k蠢隕√′縺ゅj縺セ縺吶
繝輔か繝シ繝URL繧ィ繝ウ繧ウ繝シ繝峨&繧後◆繝ェ繧ッ繧ィ繧ケ繝医ョ騾∽ソ。
application/x-www-form-urlencoded繧ウ繝ウ繝繝ウ繝繧ソ繧、繝励r菴ソ逕ィ縺励※繝繝シ繧ソ繧帝∽ソ。縺吶k蝣エ蜷医ッ縲√Μ繧ッ繧ィ繧ケ繝医r陦後≧蜑阪↓asForm繝。繧ス繝繝繧貞他縺ウ蜃コ縺吝ソ隕√′縺ゅj縺セ縺吶
Laravel 8.x HTTP繧ッ繝ゥ繧、繧「繝ウ繝
蠢隕√↑險ュ螳壽ュ蝣ア遲峨ッconfig繝輔ぃ繧、繝ォ縺ォ縺セ縺ィ繧√∪縺励◆縲よ眠隕上〒縲慶ognito縲咲畑縺ョ險ュ螳壹ヵ繧。繧、繝ォ繧剃ス懈舌@縺ヲ縺縺セ縺吶
<?php
return [
'clientId' => '{clientId}',
'clientSecret' => '{clientSecret}',
'poolId' => 'ap-northeast-1_{your pool id}',
'region' => 'ap-northeast-1',
'version' => 'latest',
'endpoint' => 'https://{your domain}.auth.ap-northeast-1.amazoncognito.com/',
'token_endpoint' => 'https://{your domain}.auth.ap-northeast-1.amazoncognito.com/oauth2/token',
'callback_uri' => 'http://localhost:8000/login_cognito/callback/',
'jwk' => 'https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_EAVdUIDWB/.well-known/jwks.json',
];
clientId縺ェ縺ゥ縺ッ縺碑ェ霄ォ縺ョ迺ー蠅縺ォ蠢懊§縺ヲ驕ゥ螳懆ィュ螳壹¥縺縺輔>縲
繧ウ繝シ繝ォ繝舌ャ繧ッURI縺ッ髢狗匱逕ィ縺ォ繝ュ繝シ繧ォ繝ォ繝帙せ繝医↓險ュ螳壹@縺ヲ縺縺セ縺吶ゅ%繧後ッCognito縺ョ險ュ螳夂判髱「縺ォ逋サ骭イ縺励◆繧ゅョ縺ィ蜷後§險ュ螳壹↓縺吶k蠢隕√′縺ゅj縺セ縺吶
jwt讀懆ィシ逕ィ繧ッ繝ゥ繧ケ菴懈
jwt縺ョ讀懆ィシ縺ョ縺溘a縲’irebase/php-jwt繧貞茜逕ィ縺輔○縺ヲ鬆ゅ″縺セ縺吶
composer require firebase/php-jwt
jwt縺ョ讀懆ィシ縺ッ縺薙ョ繧医≧縺ォ螳溯」縺励※縺縺セ縺吶
<?php
namespace App\Services;
use Exception;
use Firebase\JWT\JWK;
use Firebase\JWT\JWT;
use Illuminate\Support\Facades\Http;
use UnexpectedValueException;
class JWTVerifier
{
/**
* @param string $jwt
* @return object|null
* @throws Exception
*/
public function decode(string $jwt)
{
$tks = explode('.', $jwt);
$header = $tks[0];
$jwks = $this->fetchJWKs();
try {
$kid = $this->getKid($header); //jwt縺九ikid繧貞叙蠕
$alg = $this->getAlg($jwks, $kid);//鄂イ蜷阪い繝ォ繧エ繝ェ繧コ繝繧貞叙蠕
$key = $this->getKey($jwks, $kid,$alg);//jwk縺九idecode逕ィ縺ョkey繧貞叙蠕
return JWT::decode($jwt, $key);
}catch (UnexpectedValueException $e){
throw new Exception('繝代Λ繝。繝シ繧ソ荳肴ュ」');
return null;
}catch (Exception $exception) {
throw $exception;
return null;
}
}
private function getKid(string $headb64)
{
$headb64 = json_decode(JWT::urlsafeB64Decode($headb64), true);
if (array_key_exists('kid', $headb64)) {
return $headb64['kid'];
}
throw new \RuntimeException();
}
private function getKey(array $jwks, string $kid,string $alg)
{
$keys = JWK::parseKeySet($jwks,$alg);
if (array_key_exists($kid, $keys)) {
return $keys[$kid];
}
throw new \RuntimeException();
}
private function getAlg(array $jwks, string $kid)
{
if (!array_key_exists('keys', $jwks)) {
throw new \RuntimeException();
}
foreach ($jwks['keys'] as $key) {
if ($key['kid'] === $kid && array_key_exists('alg', $key)) {
return $key['alg'];
}
}
throw new \RuntimeException();
}
private function fetchJWKs(): array
{
$response = HTTP::get(config('cognito.jwk'));
return json_decode($response->body(), true) ?: [];
}
}
Guard縺ョ菴懈
Guard縺ッSessionGuard繧貞盾閠縺ォ讖溯ス諡。蠑オ縺励※縺縺阪∪縺吶
縺セ縺壹ッ蜿り縺ィ縺吶kSessionGuard縺九i隗」隱ャ縺ァ縺吶
public function __construct($name,
UserProvider $provider,
Session $session,
Request $request = null)
{
$this->name = $name;
$this->session = $session;
$this->request = $request;
$this->provider = $provider;
}
public function attempt(array $credentials = [], $remember = false)
{
$this->fireAttemptEvent($credentials, $remember);
$this->lastAttempted = $user = $this->provider->retrieveByCredentials($credentials);
if ($this->hasValidCredentials($user, $credentials)) {
$this->login($user, $remember);
return true;
}
public function user()
{
if ($this->loggedOut) {
return;
}
if (! is_null($this->user)) {
return $this->user;
}
$id = $this->session->get($this->getName());
if (! is_null($id) && $this->user = $this->provider->retrieveById($id)) {
$this->fireAuthenticatedEvent($this->user);
}
if (is_null($this->user) && ! is_null($recaller = $this->recaller())) {
$this->user = $this->userFromRecaller($recaller);
if ($this->user) {
$this->updateSession($this->user->getAuthIdentifier());
$this->fireLoginEvent($this->user, true);
}
}
return $this->user;
}
Cognito繧貞茜逕ィ縺吶kGuard縺ョ菴懈
<?php
namespace App\Services;
use Illuminate\Auth\GuardHelpers;
use Illuminate\Auth\SessionGuard;
use Illuminate\Contracts\Auth\UserProvider;
use Illuminate\Support\Facades\Log;
use Illuminate\Contracts\Session\Session;
class CognitoGuard extends SessionGuard
{
use GuardHelpers;
public $name;
private $jwt_verifier;
protected $provider;
protected $session;
public function __construct($name,JWTVerifier $JWTVerifier,Session $session, UserProvider $userProvider)
{
$this->name = $name;
$this->jwt_verifier = $JWTVerifier;
$this->session = $session;
$this->provider = $userProvider;
}
public function attempt(array $credentials = [], $remember = false)
{
$decoded_jwt = $this->jwt_verifier->decode($credentials['id_token']);
$this->fireAttemptEvent(['email' => $decoded_jwt->email], $remember);
$this->lastAttempted = $user = $this->provider->retrieveByCredentials(['email' => $decoded_jwt->email]);
$this->login($user, $remember);
return true;
}
}
UserProvider縺ッconfig縺ォ險ュ螳壹&繧後◆繧ゅョ縺御セ晏ュ俶ァ豕ィ蜈・縺輔l縺ヲ蛻ゥ逕ィ縺輔l縺ヲ縺縺セ縺吶
'providers' => [
'users' => [
'driver' => 'eloquent',
'model' => App\Models\User::class,
],
],
eloquent縺ィ險倩ソー縺輔l縺ヲ縺縺セ縺吶ゅ%繧後′縺セ縺輔↓Provider縺ョ隱ャ譏弱〒逋サ蝣エ縺励◆EloquentUserProvider縺ァ縺吶
src/Illuminate/Auth/EloquentUserProvider.php
繧オ繝シ繝薙せ繝励Ο繝舌う繝縺ョ險ュ螳
繝ェ繧ッ繧ィ繧ケ繝亥ヲ逅縺ォ隱崎ィシ蛻、螳壹r謖溘∩霎シ繧蠢隕√′縺ゅk縺溘a縲√し繝シ繝薙せ繝励Ο繝舌う繝縺ォ險ュ螳壹@縺セ縺吶
隱崎ィシ繧サ繝繧キ繝ァ繝ウ繧呈戟縺」縺溽憾諷九〒繧「繧ッ繧サ繧ケ縺輔l縺溷エ蜷医↓閾ェ蜍輔Ο繧ー繧、繝ウ繧呈検繧繝輔Ο繝シ繧貞ョ溽樟縺ァ縺阪∪縺吶
CognitoGuard縺ョ蜻シ縺ウ蜃コ縺
繧オ繝シ繝薙せ繝励Ο繝舌う繝縺九iCognitoGuard縺ョ繧、繝ウ繧ケ繧ソ繝ウ繧ケ繧剃ス懈舌@縺ヲ隱崎ィシ蜃ヲ逅繧定。後>縺セ縺吶
<?php
namespace App\Providers;
use App\Services\CognitoGuard;
use App\Services\JWTVerifier;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Auth;
class AuthServiceProvider extends ServiceProvider
{
protected $policies = [
];
public function boot()
{
$this->registerPolicies();
Auth::extend('cognito', function($app, $name, array $config){
return new CognitoGuard(
config('auth.defaults.guards'),
new JWTVerifier(),
$app['session.store'],
Auth::createUserProvider($config['provider'])
);
});
}
}
controller縺ョ螳溯」
譛蠕後↓controller縺ョ險ュ螳壹〒縺吶
繝繝輔か繝ォ繝医〒菴懈舌&繧後※縺繧記oginController縺ィ縺ッ蛻・縺ォCognito逕ィLoginController繧剃ス懈舌@縺ヲ縺縺セ縺吶
<?php
namespace App\Http\Controllers;
use App\Cognito\CognitoClient;
use App\Providers\RouteServiceProvider;
use App\Traits\EncryptTrait;
use Aws\CognitoIdentityProvider\CognitoIdentityProviderClient;
use Illuminate\Foundation\Auth\AuthenticatesUsers;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;
class LoginCognitoController extends Controller
{
use EncryptTrait;
use AuthenticatesUsers;
public function __construct()
{
$this->middleware('guest')->except('logout');
}
protected $redirectTo = RouteServiceProvider::HOME;
public function index()
{
$callback_uri = config('cognito.callback_uri');
$config = [
'region' => config('cognito.region'),
'version' => config('cognito.version')
];
$client = new CognitoClient(
new CognitoIdentityProviderClient($config)
);
$query_param = 'response_type=code';
$query_param .= '&client_id='.$client->getClientId();
$query_param .= '&redirect_uri='.$callback_uri;
$query_param .= '&state='.'authorization';
return redirect(config('cognito.endpoint').'login?'.$query_param);
}
public function callback(Request $request){
$state = $request->input('state');
$code_challenge = $request->input('code_challenge');
$code = $request->input('code');
//繧「繧ッ繧サ繧ケ繝医シ繧ッ繝ウ縺ョ蜿門セ
if($state == 'authorization' && !empty($code)){
$tokens = $this->fetchToken($code,$code_challenge);
$credentials['id_token'] = $tokens->id_token;
$credentials['access_token'] = $tokens->access_token;
$credentials['refresh_token'] = $tokens->refresh_token;
Auth::guard('cognito')->attempt($credentials);
}
if(empty($redirect_url)){
return redirect('/home');
}else{
return redirect('/');
}
}
private function fetchToken($code,$code_challenge){
Log::info(self::class.' '.__FUNCTION__);
$config = [
'region' => config('cognito.region'),
'version' => config('cognito.version')
];
$client = new CognitoClient(
new CognitoIdentityProviderClient($config)
);
return $client->fetchTokenEndpoint($code,$code_challenge);
}
}
index繝。繧ス繝繝
繝ュ繧ー繧、繝ウ逕サ髱「縺ョURL縺後さ繝シ繝ォ縺輔l縺滄圀縺ョ蜃ヲ逅縺ァ縺吶Cognito縺ョ繝ュ繧ー繧、繝ウ逕サ髱「縺ク繧「繧ッ繧サ繧ケ縺吶kURL繧堤函謌舌@繝ェ繝繧、繝ャ繧ッ繝医@縺ヲ縺縺セ縺吶
| 繧ッ繧ィ繝ェ繝代Λ繝。繝シ繧ソ | |
|---|---|
| response_type | code縺セ縺溘ッtoken縺ィ謖螳 莉雁屓縺ョ繧ア繝シ繧ケ縺ッ隱榊庄繧ウ繝シ繝峨ヵ繝ュ繝シ縺ェ縺ョ縺ァcode繧呈欠螳 |
| client_id | Conito邂。逅逕サ髱「縺九i遒コ隱阪〒縺阪k繧ッ繝ゥ繧、繧「繝ウ繝ID |
| redirect_uri | 繧ウ繝シ繝ォ繝舌ャ繧ッ縺ョURL繧呈欠螳 |
| state | CSRF蟇セ遲悶ョ繝代Λ繝。繝シ繧ソ縲ゆサ雁屓縺ョ繧オ繝ウ繝励Ν縺ァ縺ッ譁蟄怜励r證怜捷蛹悶@縺ヲ縺昴ョ縺セ縺セ貂。縺励※縺縺セ縺吶 |
callback繝。繧ス繝繝
繝ャ繧ケ繝昴Φ繧ケ繝代Λ繝。繝シ繧ソ縺ォ蜷ォ縺セ繧後k縲慶ode縲阪r蜿門セ励@縺ヲ繧「繧ッ繧サ繧ケ繝医シ繧ッ繝ウ縺ョ蜃ヲ逅繧定。後>縺セ縺吶
繝医シ繧ッ繝ウ繧ィ繝ウ繝峨昴う繝ウ繝医∈縺ョ繧「繧ッ繧サ繧ケ縺ッCognitoClient繧ッ繝ゥ繧ケ縺ァ蜃ヲ逅縺励※縺縺セ縺吶
隧ウ邏ー縺ッAWS蜈ャ蠑上ョ繝槭ル繝・繧「繝ォ繧偵#隕ァ縺上□縺輔>
縺セ縺ィ繧
Laravel繧貞茜逕ィ縺励◆隱崎ィシ讖溯ス縺ッ縺ィ縺ヲ繧ゆセソ蛻ゥ縺ァ縺吶′縲√し繧、繝磯俣SSO繧МFA縺ョ螳溽樟縺励h縺縺ィ縺吶k縺ィ邨先ァ九ワ繝シ繝峨Ν縺碁ォ倥>縺ァ縺吶
Amazon Cognito縺ェ縺ゥ縺ョ螟夜Κ縺ョ隱崎ィシ繧オ繝シ繝薙せ繧剃スソ縺医ー縺薙l繧峨ョ讖溯ス縺檎ー。蜊倥↓蟆主・縺ァ縺阪∪縺吶ョ縺ァ縲∵悽譚・縺ョ繧「繝励Μ繧ア繝シ繧キ繝ァ繝ウ髢狗匱縺ォ蟆ょソオ縺吶k縺薙→縺後〒縺阪∪縺吶
莨壼藤繧オ繧、繝医↑縺ゥ繧呈ァ狗ッ峨☆繧句エ蜷医↓縺ッ遒コ螳溘↓蠢隕√↓縺ェ繧玖ェ崎ィシ讖溯ス縺ァ縺吶ョ縺ァ縲∝ー主・譯医ョ荳縺、縺ィ縺励※讀懆ィ弱@縺滓婿縺後>縺縺ァ縺吶ュ縲
