will JWKS for verifying signature of Cognito access token expire?

I am storing the JWK Set for my user pool locally in server and comparing it against the accessToken from cognto to verify the request. I have doubt whether the JWKS have any sort of validity and become void after expiry?

Topics

Security, Identity, & Compliance

Tags

Amazon Cognito Amazon Cognito User Pools

Language

English

IndieGameDeveloperFromParallelWorld

asked 6 months ago368 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

Accepted Answer

As stated in this page, Amazon Cognito does rotate signing keys. Your local JWK Set will get stale and it won't validate the access token signed with a rorated key in the user pool.

Amazon Cognito might rotate signing keys in your user pool. As a best practice, cache public keys in your app, using the kid as a cache key, and refresh the cache periodically. Compare the kid in the tokens that your app receives to your cache.

answered 6 months ago

IndieGameDeveloperFromParallelWorld
6 months ago
Hi Thanks, In that case, How ofteen should I update the JWKS data?
IndieGameDeveloperFromParallelWorld
6 months ago
Hi Thanks, In that case, How ofteen should I update the JWKS data?
HS
6 months ago
As stated in the documentation, you need to compare your kid in your local JWK Set with the kid in the token. If they don't match, then AWS should have rotated the key and its the time to refresh the cache. To provide maximum availability, you should compare the kid on every validation.

If you receive a token with the correct issuer but a different kid, Amazon Cognito might have rotated the signing key. Refresh the cache from your user pool jwks_uri endpoint.

Relevant content

aws cognito verifying jwt token
Accepted Answer
rePost-User-5945496
asked a year ago
Best way to verify signature of ID Token from Cognito
Accepted Answer
IndieGameDeveloperFromParallelWorld
asked 9 months ago
Authenticate AWS Gateway request against Cognito user pool using the acces token instead of the id token?
Accepted Answer
cao95
asked 4 months ago
Verify OpenId Connect token generated by Cognito Identity pool
Accepted Answer
Johannes Langer
asked 6 years ago
How can I decode and verify the signature of an Amazon Cognito JSON Web Token?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot "Unable to verify secret hash for client <client-id>" errors from my Amazon Cognito user pools API?
AWS OFFICIALUpdated 3 years ago
How do I revoke JWT tokens in Amazon Cognito using the AWS CLI?
AWS OFFICIALUpdated a year ago
How do I increase security in Amazon Cognito by using MFA settings for users and user pools?
AWS OFFICIALUpdated a year ago
AWS Cognito Finally Supports Custom Claims for Access Tokens
EXPERT
Antonio_Lagrotteria
published a month ago
How to build a unified authorization layer for identity providers with Amazon Verified Permissions
EXPERT
JohnT
published 17 days ago