使用.net core web api中的OAUTH2 Cognito配置参数进行令牌验证

我在.net core 2.1中运行Web API，我需要验证传入请求中存储的传入JWT令牌。令牌是从OAUTH 2 IDP生成的，并由我的客户端插入其对Web API的请求中。我可以从cognito获得的OpenID配置如下：

{
    "authorization_endpoint": "https://xxx.xxx.xxx.amazoncognito.com/oauth2/authorize",
    "id_token_signing_alg_values_supported": ["RS256"],
    "issuer": "https://cognito-idp.eu-west-1.amazonaws.com/xxx",
    "jwks_uri": "https://cognito-idp.eu-west-1.amazonaws.com/xxxxxx/.well-known/jwks.json",
    "response_types_supported": ["code", "token", "token id_token"],
    "scopes_supported": ["openid", "email", "phone", "profile"],
    "subject_types_supported": ["public"],
    "token_endpoint": "https://xxxxxxx.auth.eu-west-1.amazoncognito.com/oauth2/token",
    "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
    "userinfo_endpoint": "https://xxxxxxxx.auth.eu-west-1.amazoncognito.com/oauth2/userInfo"
}

我想使用.net核心Web API“标准”方式来管理在startup.cs中实现的任务：

 services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
     {
         options.TokenValidationParameters = new TokenValidationParameters
         {
             // Clock skew compensates for server time drift.
             // We recommend 5 minutes or less:
             ClockSkew = TimeSpan.FromMinutes(5),
             // Specify the key used to sign the token:
             IssuerSigningKey = signingKey,
             RequireSignedTokens = true,
             // Ensure the token hasn't expired:
             RequireExpirationTime = true,
             ValidateLifetime = true,
             // Ensure the token audience matches our audience value (default true):
             ValidateAudience = true,
             ValidAudience = "api://default",
             // Ensure the token was issued by a trusted authorization server (default true):
             ValidateIssuer = true,
             ValidIssuer = "???????"
         };

如何在Web API令牌验证参数中使用/匹配cognito参数？特别是如何加载IssuerSigningKey，ValidIssuer和ValidAudience？