在Paypal中使用Login和在AWS Cognito中使用OpenID [英] Using Login with Paypal and using OpenID with AWS Cognito
问题描述
我正在尝试使用Paypal支持的OpenID框架,将凭证与AWS Cognito服务绑定在一起.
I am trying to use the OpenID framework supported by Paypal to tie the credentials in with the AWS Cognito service.
如果我比较Salesforce的配置
If I compare the configuration from Salesforce
https://login.salesforce.com/.well-known/openid-配置
在Paypal上进行配置
to the configuration at Paypal
https://www.paypal.com/.well-known/openid-配置
贝宝(Paypal)配置缺少 jwks_uri 元素,该元素是每个
the Paypal configuration is missing the jwks_uri element which is a REQUIRED element of the OpenID Provider metadata per OIDC specification and AWS uses the keys at that URI to verify the id tokens.
使用Paypal登录以使用OpenID时应该使用其他网址吗?
Is there a different url I should be using for login with Paypal to work with OpenID?
是否还有其他方法可以使Paypal登录以与AWS Cognito服务一起使用,并与其他OpenID提供程序一起很好地工作?
Is there any other way to get Login with Paypal to work with the AWS Cognito service with works well with other OpenID providers?
推荐答案
Paypal不符合OpenID Connect:
Paypal is not OpenID Connect compliant:
- 您提到的发现"文档缺少必填项,但是:
- ID令牌使用对称密钥签名,这意味着实际上不需要JWKS URI,因为不使用公共/私有密钥(并且在该URI上发布对称密钥会破坏目的)
- 但是显然,不是客户端机密用于对ID令牌进行签名,以作为验证失败的标志
- ID令牌中没有
sub
声明 -
exp
声明未设置为绝对时间戳,而是相对超时
- as you mention the Discovery document lacks required entries, but:
- the ID token is signed with a symmetric key this means that no JWKS URI is actually needed since no public/private keys are used (and publishing the symmetric key on that URI defeats the purpose)
- but apparently it is not the client secret that is used to sign the ID token as verification with that fails
- there's no
sub
claim in the ID token - the
exp
claim is not set to an absolute timestamp but a relative timeout
由于Amazon Cognito与兼容OpenID Connect的提供商一起使用,因此Paypal无法正常工作.
Since Amazon Cognito works with OpenID Connect compliant providers, Paypal is not going to work.
这篇关于在Paypal中使用Login和在AWS Cognito中使用OpenID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!