【发布时间】:2019-06-02 22:50:34
【问题描述】:
我正在使用 AWS Cognito 对用户进行身份验证。
我已经使用 Kosjs 创建了一个服务器,并使用 koa-jwt 库来验证用户是否拥有有效的 id_tokens。
koa-jwt 期望 id_token 中有一个 aud 属性,该属性最初存在于 AWS Cognito 返回的 id_token 中。
但是当我使用刷新令牌获取新令牌时,新令牌包含 client_id 而不是 aud。
因此,koa-jwt 不再验证 id_token。
有什么方法可以从 AWS Cognito 获得一致的结果?
这是登录后的示例 id_token:
{
"sub": "1Xfe6c44-XXXX-4cbf-9fb2-2778a1b0e5be",
"email_verified": true,
"iss": "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxOUKTJu",
"phone_number_verified": true,
"cognito:username": "oqtz@n.spamtrap.co",
"given_name": "Some1",
"aud": "xxxxf9f0lmr1q6ni2c09umdds",
"event_id": "9cf03730-xxxx-11e9-a89f-67080ff7c936",
"token_use": "id",
"auth_time": 1546931916,
"phone_number": "+16806666986",
"exp": 1546935516,
"iat": 1546931916,
"family_name": "Some2",
"email": "oqtz@n.spamtrap.co"
}这是由 refresh_token 返回的示例 id_token:
{
"sub": "16fe6c44-xxxx-xxxx-9fb2-2778a1b0e5be",
"event_id": "9cf03730-xxxx-xxxx-a89f-67080ff7c936",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin",
"auth_time": 1546931916,
"iss": "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxxxKTJu",
"exp": 1546939290,
"iat": 1546935690,
"jti": "6fab7b58-xxxx-xxxx-a339-ddb6467e2d4c",
"client_id": "xxxxx9f0lmr1q6ni2c09umdds",
"username": "oqtz@n.spamtrap.co"
}【问题讨论】:
标签: amazon-cognito koa