Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

will JWKS for verifying signature of Cognito access token expire?

0

I am storing the JWK Set for my user pool locally in server and comparing it against the accessToken from cognto to verify the request. I have doubt whether the JWKS have any sort of validity and become void after expiry?

Themen
Sicherheit, Identität & Konformität
Tags
Amazon CognitoAmazon Cognito-Benutzergruppen
Sprache
English
IndieGameDeveloperFromParallelWorld
gefragt vor 7 Monaten401 Aufrufe
1 Antwort
0
Akzeptierte Antwort

As stated in this page, Amazon Cognito does rotate signing keys. Your local JWK Set will get stale and it won't validate the access token signed with a rorated key in the user pool.

Amazon Cognito might rotate signing keys in your user pool. As a best practice, cache public keys in your app, using the kid as a cache key, and refresh the cache periodically. Compare the kid in the tokens that your app receives to your cache.

profile picture
HS
beantwortet vor 7 Monaten
  • IndieGameDeveloperFromParallelWorld
    vor 7 Monaten

    Hi Thanks, In that case, How ofteen should I update the JWKS data?

  • IndieGameDeveloperFromParallelWorld
    vor 7 Monaten

    Hi Thanks, In that case, How ofteen should I update the JWKS data?

  • HS
    vor 7 Monaten

    As stated in the documentation, you need to compare your kid in your local JWK Set with the kid in the token. If they don't match, then AWS should have rotated the key and its the time to refresh the cache. To provide maximum availability, you should compare the kid on every validation.

    If you receive a token with the correct issuer but a different kid, Amazon Cognito might have rotated the signing key. Refresh the cache from your user pool jwks_uri endpoint.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt