AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Using Cognito Developer Identities on API Gateway JWT Authorizer

0

In the Api Gateway JWT Authorizer, Why it is not possible to use the JWT token generated by getOpenIdTokenForDeveloperIdentity?:

I generate a developer identity token this way:

cognitoIdentity
      .getOpenIdTokenForDeveloperIdentity({
        IdentityPoolId: "us-east-1:43d2cbc6-...",
        // null when you want to create a new identity. An existing authenticated/unauthenticated identity when you want to associate a new login with an existing IdentityId
        // IdentityId: "",
        Logins: {
          mycustomprovider: "user id in my custom provider"
        },
 })

It returns a JWT with a payload and header like this:

{
  "sub": "us-east-1:...",
  "aud": "us-east-1:...",
  "amr": [
    "authenticated",
    "mycustomprovider",
    "mycustomprovider-east-1:...."
  ],
  "iss": "https://cognito-identity.amazonaws.com",
  "exp": 1686581019,
  "iat": 1686577419
}

header:

{
  "kid": "us-east-13",
  "typ": "JWS",
  "alg": "RS512"
}

I configured a JWT Authorizer with

However I get this response header with a error message: www-authenticate: Bearer scope="" error="invalid_token" error_description="unable to decode "n" from RSA public key" status: 401 Unauthorized

What's is wrong with my configuration?

주제
서버리스프론트엔드 웹 및 모바일네트워킹 및 콘텐츠 전송보안, 신원 및 규정 준수
태그
아마존 API 게이트웨이아마존 Cognito
언어
English
j0nd0n7
질문됨 일 년 전288회 조회
1개 답변
0

I don't think what you are trying to do is possible. The error indicate that the built in JWT authorizer can't read the public key. Normally it tries to fetch the keys from https://<iss>/.well-known/jwks.json however the keys for https://cognito-identity.amazonaws.com is different per region, tryin to fetch https://cognito-identity.amazonaws.com/.well-known/jwks.json result in an access denied.

Instead try and verify using your own custom authorizer using the normal JWT validation steps.

1: Get OpenId config from: https://cognito-identity.amazonaws.com/.well-known/openid-configuration
2: Use the jwks_uri to fetch list of keys (e.g https://cognito-identity.amazonaws.com/.well-known/jwks_uri)
3: Use kid in token to get the correct key
4: Perform validation
profile picture
전문가
JimmyDqv
답변함 일 년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠