1 Answer
- Newest
- Most votes
- Most comments
1
Yes, you are correct. When you call the GetUser() API, Cognito verifies the access token to make sure that it is unexpired and has a valid signature. You do not need to perform JWKS verification on the access token beforehand, as Cognito will handle the validation internally. By calling the GetUser() API, you can both retrieve the user attributes and ensure that the access token is unexpired and has a valid signature, as well as check that it has not been revoked. This makes the use of a user pool authorizer optional, as you can still accomplish the same tasks without it.
answered a year ago
Relevant content
- asked 2 years ago
- Accepted Answerasked a year ago
- Accepted Answer
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
Thank you very much! I wrote feedback on the GetUser API document - it would be cool to have that explicitly stated there.