Do you have to bother with JWKS verification of an access token if you are calling GetUser anyway?


If you have an API Gateway v2 -> Lambda that has a JWT authorizer attached to it, that lambda will receive an authorization header of the form: "Bearer ewyxa...................." where everything after "Bearer" is an access token. At that point, if you need to get user attributes, you'd call cognito GetUser using that token. I have done this, and it works great, but it got me thinking:

Do I need to do JWKS verification of the access token if I'm calling GetUser() The docs state that GetUser requires an unexpired access token. To know it's not expired, it must check the signature. The docs don't say how it does this (JWKS or something internal to cognito, which it could do since it's the issuer). What this makes me wonder is do I need to attach a user pool authorizer at all. With no authorizer, I could still get the access token from the headers, then call GetUser() and that would accomplish two tasks: getting the user attributes and at the same time verifying the access token is unexpired and that its signature is good. It may even check that the access token has not been revoked.

None of this is clear to me from GetUser but it seems like it must be.

Can someone verify whether or not I'm right?


profile picture
asked a year ago222 views
1 Answer
Accepted Answer

Yes, you are correct. When you call the GetUser() API, Cognito verifies the access token to make sure that it is unexpired and has a valid signature. You do not need to perform JWKS verification on the access token beforehand, as Cognito will handle the validation internally. By calling the GetUser() API, you can both retrieve the user attributes and ensure that the access token is unexpired and has a valid signature, as well as check that it has not been revoked. This makes the use of a user pool authorizer optional, as you can still accomplish the same tasks without it.

profile picture
answered a year ago
  • Thank you very much! I wrote feedback on the GetUser API document - it would be cool to have that explicitly stated there.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions