If you have an API Gateway v2 -> Lambda that has a JWT authorizer attached to it, that lambda will receive an authorization header of the form: "Bearer ewyxa...................." where everything after "Bearer" is an access token. At that point, if you need to get user attributes, you'd call cognito GetUser using that token. I have done this, and it works great, but it got me thinking:
Do I need to do JWKS verification of the access token if I'm calling GetUser() The docs state that GetUser requires an unexpired access token. To know it's not expired, it must check the signature. The docs don't say how it does this (JWKS or something internal to cognito, which it could do since it's the issuer). What this makes me wonder is do I need to attach a user pool authorizer at all. With no authorizer, I could still get the access token from the headers, then call GetUser() and that would accomplish two tasks: getting the user attributes and at the same time verifying the access token is unexpired and that its signature is good. It may even check that the access token has not been revoked.
None of this is clear to me from GetUser but it seems like it must be.
Can someone verify whether or not I'm right?
--Chris
Thank you very much! I wrote feedback on the GetUser API document - it would be cool to have that explicitly stated there.