I am using Cognito(using the amazon-javascript-sdk) in a .net Core angular application and im trying to verify the access_token that i get from amazon in my .net core back-end so that I can protect my Web Api.
Using the Amazon cognito JWKS I am able to validate the access_token and therefore allow/deny access to my api. The thing is that I now have the JWK keys hardcoded in my startup.cs.
What I understand from JWKS is that these keys can rotate(did not find if amazon does this) so i would like to somehow tell my middleware to get the keys from an endpoint. I read something about discovery documents and other stuff but cant find anything on how to configure the middleware to do this automatic.
For OpenId you can use the MetadataAddress to point to https://cognito-idp.{awsregion}.amazonaws.com/{userPool}/.well-known/openid-configuration and that will get all the configuration necessary.
I feel something similar should exists for the IssuerSigningKey(JWK) if you use JwtBearer middleware. Instead of setting a hardcoded key i expect to point to the JWK url where the middleware will locate the keys and does it magic. The JWKS also contains multiple keys so therefore I expect the middleware to figure out itself which key to use.
Relevant code:
services.AddAuthentication(options =>
{
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(jwt =>
{
jwt.TokenValidationParameters = new TokenValidationParameters
{
IssuerSigningKey = MagicFunction("hardcodedRSAModules","hardcodedRSA")
ValidIssuer = "https://cognito-idp.us-east-2.amazonaws.com/{userpool}",
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidateLifetime = true,
ValidateAudience = false,
ClockSkew = TimeSpan.FromMinutes(0)
};
});
