在哪里可以获取Cognito身份池的公钥? [英] Where can I retrieve the public key for an Cognito Identity Pool?

问题描述

实际上，我通过以下代码为未经身份验证的用户检索了一个已签名的JWT.

Actually I retrieved an signed JWT for an unauthenticated user by the following code.

AWS.config.region = 'eu-central-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
    IdentityPoolId: 'eu-central-1:cccccc-cccc-cccc-cccc',
    RoleArn: 'arn:aws:iam::iiiiiiiiiiiii:role/Cognito_MyIdentityPoolUnauth_Role'
});
// Obtain Open ID Token (JWT)
AWS.config.credentials.get(function() {
    console.log(AWS.config.credentials.params.WebIdentityToken);
});

如何检索公共密钥以验证签名?

How can I retrieve the public key to verify the signature?

我只能从用户池中找到有关令牌的文档.因为我想处理未经身份验证的用户，所以这对我没有帮助.

I can only find documentation covering tokens from an user pool. As i want to handle unauthenticated users this does not help me.

推荐答案

AWS文档仅描述了如何检索用户池的公共密钥，但是也有针对身份池的公共密钥.而用户池公用密钥的URL( https://cognito-idp. region .amazonaws.com/ userPoolId /.well-known/jwks.json )包含用户池ID，用于身份池的网址不是.

The AWS documentation only describes how to retrieve public keys for User Pools, but there are public keys for Identity Pools as well. While the URL for User Pool public keys (https://cognito-idp.region.amazonaws.com/userPoolId/.well-known/jwks.json) contains the User Pool Id the URL for Identity Pools does not.

可以从 https://cognito- identity.amazonaws.com/.well-known/jwks_uri . 这为跨区域的所有可能的身份池提供了公共密钥.

Public Keys for Cognito Identity Pools can be retrieved from https://cognito-identity.amazonaws.com/.well-known/jwks_uri. This provides the public keys for all possible Identity Pools across regions.

要标识正确的密钥，您必须检查Open Id Token标头. 财产小子在密钥列表中标识了正确的密钥.

To identitfy the right key you have to inspect the Open Id Token header. The property kid identifies the right key in the key list.

{
    "kid": "eu-central-11",
    "typ": "JWS",
    "alg": "RS512"
}

例如在这种情况下，正确的jwk将是:

E.g. in this case the right jwk would be:

{
    kty: "RSA",
    alg: "RS512",
    use: "sig",
    kid: "eu-central-11",
    n: "AL9Kz62JHMpn5kBEqyoaXkM56x3l3Wi0kg0Juv71QtXo5M4ZJYxouKdcrKfevYTRNm6DE0hTbJnyj7Bh4EYbmruGdSWE970xkcFJxcgak0j4rneRX5G1E/xN27M42OOLmZCe8O6l3nksD0XGOqBPqOSEP3pYCNAYMncpSGnit56fUX+yszfMjGP3DVSUFZKtXbqwt/S0VpBi5BQbbD57R8DKenQsPfln91tgGopmXP66vZ4yWRUzs/mqHxcez3FcgHHXc6AbEJ6GOSVd9t+BCUW5kVY0aYO301PJczvB3zfsI6qebjS6BFTvMp8SqK532ZRnXEMgs/5gc9cfxpDsgvk=",
    e: "AQAB"
}

这篇关于在哪里可以获取Cognito身份池的公钥?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！