- 最新
- 最多得票
- 最多評論
Yes the document does not specify whether the keys are rotated. However, Cognito service may need to rotate the keys if required.
Hence, we recommend you to cache each key present in JWKS URI [1] against "kid". When you have a token to validate, then first check the "kid" present in the header of that JWT token. If you have a key with that "kid" in your cache then use that key. Otherwise, query the JWKS URI to fetch recent keys and update your local cache with the new "kid". This will help to make the application more robust and you will be able to handle the scenario if the public key is rotated in unforeseen future.
--References--
[1] The format of the JWKS URI is following (replace {region} with AWS region and replace {userPoolId} with the ID of your user pool): https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
相關內容
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
Where should we cache them? Users can find the region and user pool ID with a bit of snooping, so the JWKS is essentially public. Would hardcoding them be ill-advised?
You need to cache it in server side of your resource server (means where you are performing JWT validation before providing access to your secured resources).
Thank you but I meant what caching method/service? Right now I'm trying S3 but it is convoluted compared to just downloading the JWKS each time as I have been doing. This is in a Lambda authorizer for APIGW written in Go. What did you have in mind for caching?