Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

Best way to verify signature of ID Token from Cognito

0

I have a lambda that gets username from the ID token passed to it. But I want to know the best practice safety mechanism to put in place security concerns are addressed. So how can I verify the Id_token is from the same user the ID Token is supposed to be coming from. I know calling the getuser api with acesstoken is not a good method. What should be the best way here to verify the id?

Argomenti
ServerlessComputazionaliSicurezza, identità e conformità
Tag
AWS LambdaSicurezza, identità e conformitàAmazon Cognito
Lingua
English
IndieGameDeveloperFromParallelWorld
posta 10 mesi fa387 visualizzazioni
1 Risposta
1
Risposta accettata

Hi,

the best way to verify the id token is to use an OIDC, OAuth2, or JWT library.

those library will get the public key from the JWKS endpoint associated with the issuer of the token and validate the signature. Then it will validates that the token is in its valid time boundaries (not before, not after). You can generally add additional checks on claims values, scopes, and client id value.

We provide the following library to help you with that: https://github.com/awslabs/aws-jwt-verify

Jeff

AWS
Jeff Lombardo-AWS
con risposta 10 mesi fa
profile picture
ESPERTO
Mikel Del Tio
verificato 10 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente