AWS Cognito-为什么即使更改用户池或删除用户，令牌仍然仍然有效(.Net核心) [英] AWS Cognito - Why is token still valid even User pool is changed or User is deleted (.Net core)

问题描述

我对AWS Cognito以及令牌安全性还很陌生.我决定将AWS Cognito用于可能的应用程序.我按照此处的Web应用程序和Web API指南进行操作.

I'm quite new to AWS Cognito and about token security. I decided to use AWS Cognito for may application. I followed the guide here for my web app and my web api.

https://dzone.com/articles/identity-as-a-service-idaas-aws-cognito-and-aspnet https://dzone.com/articles/identity-as-a-service-idaas-asp-net-core-api-and-a

一切正常.但是，当我尝试在AWS Cognito中创建新的用户池，然后将Web应用程序和Web api的应用程序设置都更改为使用新用户池时，我发现有些奇怪.

Everything works fine. But when I try to create a new User pool in AWS Cognito and then change the appsetting for both web app and web api to use the new user pool, I found something quite weird.

1. (对于Web应用程序).用户仍然可以通过属于旧用户池的旧令牌访问控制器操作，该旧用户池甚至在将该操作标记为[授权]之前就已使用过.我不知道为什么即使将appsetting设置为新的User pool，用户仍然可以使用旧令牌访问.(但用户无法使用带有旧令牌的新用户池访问网络api)

1. (For the web app). User still can access controller action by the old token that belong to the old User pool that used before even the action is marked as [Authorize]. I don't know why user still can access with the old token even appsetting is set to the new User pool. (But User cannot access to the web api,that use new User pool, with the old token)

(适用于Web应用程序和Web API).然后，我从旧的用户池中删除了该用户，并将Web应用程序和Web api设置为使用旧的用户池.我发现即使删除了该用户，用户仍然可以访问Web应用程序和Web api中的操作.

(For both web app and web api). Then I deleted that User from the old User pool and set web app and web api to use the old user pool. I found that User still can access both action in web app and web api even that User was deleted.

我认为我可能缺少有关验证令牌或设置的信息.谁能建议解决问题的解决方案?

I think that it might be something that I missing about validation token or setting. Can anyone suggest about a solution to fix that?

推荐答案

AWS Cognito用户池颁发的ID令牌是JWT令牌，由AWS签名.发行后，令牌的有效期为1小时.在这1个小时内，由于令牌无状态，因此无法撤消令牌.

The ID Token issued by AWS Cognito User Pool is a JWT token, which is Signed By AWS. Once issued the token is valid for 1 hour. Within this 1 hour, there is no way of revoking the token since its stateless.

Amazon Cognito为每个用户池生成两个RSA密钥对.这每对的私钥用于签名各自的ID令牌或访问令牌.公钥在此地址中可用格式:

Amazon Cognito generates two RSA key pairs for each user pool. The private key of each pair is used to sign the respective ID token or access token. The public keys are made available at an address in this format:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

由于公钥是公开可用的，因此任何人都可以验证JWT令牌是否真实并由AWS Cognito发行.

Since the public key is publically available, anyone can verify whether the JWT token is authentic and issued by AWS Cognito.

但是，这涉及到许多要验证的事情.

However, this involved multiple things to verify.

1. 验证JWT令牌编码是否符合JWT标准.
2. 验证JWT颁发者，是否是特定的用户池(验证其ID).
3. 验证令牌是否为ID令牌(可选).
4. 验证令牌的受众群体(是否针对特定的应用程序发行).
5. 验证令牌签名(这是需要公共密钥的地方).
6. 验证令牌是否过期.

此信息已经包含在根据JWT标准正确编码的JWT令牌字符串中.

This information is already self-contained within the JWT token string properly encoded according to the JWT standard.

因此，即使Cognito用户池也被删除，如果存在有效令牌(颁发后不到1小时)，则在验证过程使用存储的公钥进行验证的情况下也应有效.

Therefore, even the Cognito User Pool is deleted, if there is a valid token (< 1 hour after issued), it should be valid, if the verification process uses a stored Public key to verify it.

这篇关于AWS Cognito-为什么即使更改用户池或删除用户，令牌仍然仍然有效(.Net核心)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！