AWS cognito medium security documentation change
Summary
Expanded OIDC flow documentation with detailed token validation steps and added JWKS key refresh process
Security assessment
Added detailed steps for token validation including signature checks and explicit mention of refreshing signing keys from JWKS endpoint for each token, which addresses potential security concerns around key rotation and token forgery prevention.
Diff
diff --git a/cognito/latest/developerguide/cognito-user-pools-oidc-flow.md index b94f85d39..0c05775eb 100644 --- a/cognito/latest/developerguide/cognito-user-pools-oidc-flow.md +++ b/cognito/latest/developerguide/cognito-user-pools-oidc-flow.md @@ -15 +15 @@ When your user signs in to your application using an OIDC IdP, your user pool co - 1. Your user lands on the Amazon Cognito built-in sign-in page, and is offered the option to sign in through an OIDC IdP, for example Salesforce. + 1. A user accesses your managed login sign-in page, and chooses to sign in with their OIDC IdP. @@ -17 +17 @@ When your user signs in to your application using an OIDC IdP, your user pool co - 2. Your user is redirected to the `authorization` endpoint of the OIDC IdP. + 2. Your application directs the user's browser to the authorization endpoint of your user pool. @@ -19 +19 @@ When your user signs in to your application using an OIDC IdP, your user pool co - 3. After your user authenticates, the OIDC IdP redirects to Amazon Cognito with an authorization code. + 3. Your user pool redirects the request to the authorization endpoint of the OIDC IdP. @@ -21 +21 @@ When your user signs in to your application using an OIDC IdP, your user pool co - 4. Amazon Cognito exchanges the authorization code with the OIDC IdP for an access token. + 4. Your IdP displays a login prompt. @@ -23 +23 @@ When your user signs in to your application using an OIDC IdP, your user pool co - 5. Amazon Cognito creates or updates the user account in your user pool. + 5. In your application, your user's session displays a sign-in prompt for the OIDC IdP. @@ -25 +25,21 @@ When your user signs in to your application using an OIDC IdP, your user pool co - 6. Amazon Cognito issues your application bearer tokens, which might include identity, access, and refresh tokens. + 6. The user enters their credentials for the IdP or presents a cookie for an already-authenticated session. + + 7. After your user authenticates, the OIDC IdP redirects to Amazon Cognito with an authorization code. + + 8. Your user pool exchanges the authorization code for ID and access tokens. Amazon Cognito receives access tokens when you configure your IdP with the scopes `openid`. The claims in the ID token and the `userInfo` response are determined by additional scopes from your IdP configuration, for example `profile` and `email`. + + 9. Your IdP issues the requested tokens. + + 10. Your user pool determines the path to the IdP `jwks_uri` endpoint from the issuer URLs in your IdP configuration and requests the token signing keys from the JSON web key set (JWKS) endpoint. + + 11. The IdP returns signing keys from the JWKS endpoint. + + 12. Your user pool validates the IdP tokens from signature and expiration data in the tokens. + + 13. Your user pool authorizes a request to the IdP `userInfo` endpoint with the access token. The IdP responds with user data based on the access token scopes. + + 14. Your user pool compares the ID token and `userInfo` response from the IdP to the attribute-mapping rules in your user pool. It writes mapped IdP attributes to user pool profile attributes. + + 15. Amazon Cognito issues your application bearer tokens, which might include identity, access, and refresh tokens. + + 16. Your application processes the user pool tokens and signs the user in. @@ -50 +70 @@ Amazon Cognito validates the provider ID token with the following checks: - 2. If the provider signed the token with an asymmetric signing algorithm, check that the signing key ID in the token `kid` claim is listed at the provider `jwks_uri` endpoint. + 2. If the provider signed the token with an asymmetric signing algorithm, check that the signing key ID in the token `kid` claim is listed at the provider `jwks_uri` endpoint. Amazon Cognito refreshes the signing key from the JWKS endpoint in your IdP configuration for each IdP ID token that it processes.