AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Using Cognito Developer Identities on API Gateway JWT Authorizer

0

In the Api Gateway JWT Authorizer, Why it is not possible to use the JWT token generated by getOpenIdTokenForDeveloperIdentity?:

I generate a developer identity token this way:

cognitoIdentity
      .getOpenIdTokenForDeveloperIdentity({
        IdentityPoolId: "us-east-1:43d2cbc6-...",
        // null when you want to create a new identity. An existing authenticated/unauthenticated identity when you want to associate a new login with an existing IdentityId
        // IdentityId: "",
        Logins: {
          mycustomprovider: "user id in my custom provider"
        },
 })

It returns a JWT with a payload and header like this:

{
  "sub": "us-east-1:...",
  "aud": "us-east-1:...",
  "amr": [
    "authenticated",
    "mycustomprovider",
    "mycustomprovider-east-1:...."
  ],
  "iss": "https://cognito-identity.amazonaws.com",
  "exp": 1686581019,
  "iat": 1686577419
}

header:

{
  "kid": "us-east-13",
  "typ": "JWS",
  "alg": "RS512"
}

I configured a JWT Authorizer with

However I get this response header with a error message: www-authenticate: Bearer scope="" error="invalid_token" error_description="unable to decode "n" from RSA public key" status: 401 Unauthorized

What's is wrong with my configuration?

トピック
サーバーレスフロントエンド Web & モバイルネットワークとコンテンツ配信セキュリティ、アイデンティティ、コンプライアンス
タグ
Amazon API GatewayAmazon Cognito
言語
English
j0nd0n7
質問済み 1年前288ビュー
1回答
0

I don't think what you are trying to do is possible. The error indicate that the built in JWT authorizer can't read the public key. Normally it tries to fetch the keys from https://<iss>/.well-known/jwks.json however the keys for https://cognito-identity.amazonaws.com is different per region, tryin to fetch https://cognito-identity.amazonaws.com/.well-known/jwks.json result in an access denied.

Instead try and verify using your own custom authorizer using the normal JWT validation steps.

1: Get OpenId config from: https://cognito-identity.amazonaws.com/.well-known/openid-configuration
2: Use the jwks_uri to fetch list of keys (e.g https://cognito-identity.amazonaws.com/.well-known/jwks_uri)
3: Use kid in token to get the correct key
4: Perform validation
profile picture
エキスパート
JimmyDqv
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ