我使用AWS Cognito来验证用户。
我一直在使用Kosjs创建了一个服务器,并使用KOA,智威汤逊库检验用户是否具有有效的id_tokens。
KOA-JWT预计最初存在于由AWS Cognito返回的id_token的id_token的AUD属性。
但是,当我使用刷新标记获得新的令牌,新的令牌包含澳元CLIENT_ID代替。
正因为如此,相思树,智威汤逊不验证id_token了。
有没有什么办法让从AWS Cognito一致的结果?
这是登录后id_token样本:
{
"sub": "1Xfe6c44-XXXX-4cbf-9fb2-2778a1b0e5be",
"email_verified": true,
"iss": "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxOUKTJu",
"phone_number_verified": true,
"cognito:username": "[email protected]",
"given_name": "Some1",
"aud": "xxxxf9f0lmr1q6ni2c09umdds",
"event_id": "9cf03730-xxxx-11e9-a89f-67080ff7c936",
"token_use": "id",
"auth_time": 1546931916,
"phone_number": "+16806666986",
"exp": 1546935516,
"iat": 1546931916,
"family_name": "Some2",
"email": "[email protected]"
}
这是refresh_token返回的样品id_token:
{
"sub": "16fe6c44-xxxx-xxxx-9fb2-2778a1b0e5be",
"event_id": "9cf03730-xxxx-xxxx-a89f-67080ff7c936",
"token_use": "access",
"scope": "aws.cognito.signin.user.admin",
"auth_time": 1546931916,
"iss": "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxxxKTJu",
"exp": 1546939290,
"iat": 1546935690,
"jti": "6fab7b58-xxxx-xxxx-a339-ddb6467e2d4c",
"client_id": "xxxxx9f0lmr1q6ni2c09umdds",
"username": "[email protected]"
}
我还没有完全刷新测试的东西,但我得到了由this section对KOA,智威汤逊自述底部下面的例子快速工作的基本知识。
const { koaJwtSecret } = require('jwks-rsa');
app.use(jwt({
secret: <any> koaJwtSecret({
jwksUri: `https://cognito-idp.${config.userPoolRegion}.amazonaws.com/${config.userPoolId}/.well-known/jwks.json`,
cache: true,
cacheMaxEntries: 5,
cacheMaxAge: 36000000 ///10 hr
})
}));