Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
Verify OpenId Connect token generated by Cognito Identity pool
I have a customer, that is using a Cognito Identity Pool in conjunction with a Cognito User Pool. He is using the Api Method GetOpenId token to generate a JWT token for an unauthenticated user and wants to verify the JWT token in the backend.
https://docs.aws.amazon.com/cognitoidentity/latest/APIReference/API_GetOpenIdToken.html
However this seems to be possible only with tokens generated by the user pool, see:
https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/
Can the same be achieved with token from an identity pool? Where can i find the public keys used to verify the signature of the JWT?
- Newest
- Most votes
- Most comments
I have not tried it myself, but if it is an OIDC compliant token, you should be able to verify it through the official verification process, getting the jwks url in the iss field of the token
Here is how to do it:
- From the token get the iss value
- Issue a GET on the URI built from iss+/.well-know/openid-configuration https://cognito-identity.amazonaws.com/.well-known/openid-configuration
- From the JSON returned, get the jwks_uri field
- Issue a GET to the URI from the jwks_uri field to get the jwks https://cognito-identity.amazonaws.com/.well-known/jwks_uri
- Use the kid from the id token to select the right entry in the jwks to verify the signature
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
