1 Answer
- Newest
- Most votes
- Most comments
0
As stated in this page, Amazon Cognito does rotate signing keys. Your local JWK Set will get stale and it won't validate the access token signed with a rorated key in the user pool.
Amazon Cognito might rotate signing keys in your user pool. As a best practice, cache public keys in your app, using the kid as a cache key, and refresh the cache periodically. Compare the kid in the tokens that your app receives to your cache.
answered 6 months ago
Relevant content
- Accepted Answerasked 9 months ago
- Accepted Answerasked 4 months ago
- Accepted Answerasked 6 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Hi Thanks, In that case, How ofteen should I update the JWKS data?
Hi Thanks, In that case, How ofteen should I update the JWKS data?
As stated in the documentation, you need to compare your kid in your local JWK Set with the kid in the token. If they don't match, then AWS should have rotated the key and its the time to refresh the cache. To provide maximum availability, you should compare the kid on every validation.