Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Do you have to bother with JWKS verification of an access token if you are calling GetUser anyway?

0

If you have an API Gateway v2 -> Lambda that has a JWT authorizer attached to it, that lambda will receive an authorization header of the form: "Bearer ewyxa...................." where everything after "Bearer" is an access token. At that point, if you need to get user attributes, you'd call cognito GetUser using that token. I have done this, and it works great, but it got me thinking:

Do I need to do JWKS verification of the access token if I'm calling GetUser() The docs state that GetUser requires an unexpired access token. To know it's not expired, it must check the signature. The docs don't say how it does this (JWKS or something internal to cognito, which it could do since it's the issuer). What this makes me wonder is do I need to attach a user pool authorizer at all. With no authorizer, I could still get the access token from the headers, then call GetUser() and that would accomplish two tasks: getting the user attributes and at the same time verifying the access token is unexpired and that its signature is good. It may even check that the access token has not been revoked.

None of this is clear to me from GetUser but it seems like it must be.

Can someone verify whether or not I'm right?

--Chris

Argomenti
Sicurezza, identità e conformità
Tag
Bacini di utenza di Amazon Cognito
Lingua
English
profile picture
wz2b
posta un anno fa215 visualizzazioni
1 Risposta
1
Risposta accettata

Yes, you are correct. When you call the GetUser() API, Cognito verifies the access token to make sure that it is unexpired and has a valid signature. You do not need to perform JWKS verification on the access token beforehand, as Cognito will handle the validation internally. By calling the GetUser() API, you can both retrieve the user attributes and ensure that the access token is unexpired and has a valid signature, as well as check that it has not been revoked. This makes the use of a user pool authorizer optional, as you can still accomplish the same tasks without it.

profile picture
Muhammad Imran
con risposta un anno fa
  • wz2b
    un anno fa

    Thank you very much! I wrote feedback on the GetUser API document - it would be cool to have that explicitly stated there.

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente