Javascript 在哪里可以检索Cognito标识池的公钥?
实际上,我通过以下代码为未经身份验证的用户检索了一个签名的JWTJavascript 在哪里可以检索Cognito标识池的公钥?,javascript,amazon-web-services,jwt,amazon-cognito,Javascript,Amazon Web Services,Jwt,Amazon Cognito,实际上,我通过以下代码为未经身份验证的用户检索了一个签名的JWT AWS.config.region = 'eu-central-1'; // Region AWS.config.credentials = new AWS.CognitoIdentityCredentials({ IdentityPoolId: 'eu-central-1:cccccc-cccc-cccc-cccc', RoleArn: 'arn:aws:iam::iiiiiiiiiiiii:role/Cogni
AWS.config.region = 'eu-central-1'; // Region
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'eu-central-1:cccccc-cccc-cccc-cccc',
RoleArn: 'arn:aws:iam::iiiiiiiiiiiii:role/Cognito_MyIdentityPoolUnauth_Role'
});
// Obtain Open ID Token (JWT)
AWS.config.credentials.get(function() {
console.log(AWS.config.credentials.params.WebIdentityToken);
});
如何检索公钥以验证签名
我只能从用户池中找到涉及令牌的文档。因为我想处理未经身份验证的用户,这对我没有帮助。AWS文档只描述了如何检索用户池的公钥,但也有身份池的公钥。虽然用户池公钥()的URL包含用户池Id,但标识池的URL不包含用户池Id Cognito标识池的公钥可以从中检索。 这将为跨区域的所有可能的标识池提供公钥 要识别正确的密钥,必须检查Open Id令牌头。 属性kid在密钥列表中标识正确的密钥
{
"kid": "eu-central-11",
"typ": "JWS",
"alg": "RS512"
}
例如,在这种情况下,正确的jwk应为:
{
kty: "RSA",
alg: "RS512",
use: "sig",
kid: "eu-central-11",
n: "AL9Kz62JHMpn5kBEqyoaXkM56x3l3Wi0kg0Juv71QtXo5M4ZJYxouKdcrKfevYTRNm6DE0hTbJnyj7Bh4EYbmruGdSWE970xkcFJxcgak0j4rneRX5G1E/xN27M42OOLmZCe8O6l3nksD0XGOqBPqOSEP3pYCNAYMncpSGnit56fUX+yszfMjGP3DVSUFZKtXbqwt/S0VpBi5BQbbD57R8DKenQsPfln91tgGopmXP66vZ4yWRUzs/mqHxcez3FcgHHXc6AbEJ6GOSVd9t+BCUW5kVY0aYO301PJczvB3zfsI6qebjS6BFTvMp8SqK532ZRnXEMgs/5gc9cfxpDsgvk=",
e: "AQAB"
}