问题
Actually I retrieved an signed JWT for an unauthenticated user by the following code.
AWS.config.region = 'eu-central-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-central-1:cccccc-cccc-cccc-cccc',
RoleArn: 'arn:aws:iam::iiiiiiiiiiiii:role/Cognito_MyIdentityPoolUnauth_Role'
});
// Obtain Open ID Token (JWT)
AWS.config.credentials.get(function() {
console.log(AWS.config.credentials.params.WebIdentityToken);
});
How can I retrieve the public key to verify the signature?
I can only find documentation covering tokens from an user pool. As i want to handle unauthenticated users this does not help me.
回答1:
The AWS documentation only describes how to retrieve public keys for User Pools, but there are public keys for Identity Pools as well. While the URL for User Pool public keys (https://cognito-idp.region.amazonaws.com/userPoolId/.well-known/jwks.json) contains the User Pool Id the URL for Identity Pools does not.
Public Keys for Cognito Identity Pools can be retrieved from https://cognito-identity.amazonaws.com/.well-known/jwks_uri. This provides the public keys for all possible Identity Pools across regions.
To identitfy the right key you have to inspect the Open Id Token header. The property kid identifies the right key in the key list.
{
"kid": "eu-central-11",
"typ": "JWS",
"alg": "RS512"
}
E.g. in this case the right jwk would be:
{
kty: "RSA",
alg: "RS512",
use: "sig",
kid: "eu-central-11",
n: "AL9Kz62JHMpn5kBEqyoaXkM56x3l3Wi0kg0Juv71QtXo5M4ZJYxouKdcrKfevYTRNm6DE0hTbJnyj7Bh4EYbmruGdSWE970xkcFJxcgak0j4rneRX5G1E/xN27M42OOLmZCe8O6l3nksD0XGOqBPqOSEP3pYCNAYMncpSGnit56fUX+yszfMjGP3DVSUFZKtXbqwt/S0VpBi5BQbbD57R8DKenQsPfln91tgGopmXP66vZ4yWRUzs/mqHxcez3FcgHHXc6AbEJ6GOSVd9t+BCUW5kVY0aYO301PJczvB3zfsI6qebjS6BFTvMp8SqK532ZRnXEMgs/5gc9cfxpDsgvk=",
e: "AQAB"
}
来源:https://stackoverflow.com/questions/54839790/where-can-i-retrieve-the-public-key-for-an-cognito-identity-pool