AWS cognito documentation change
Summary
Added note about OIDC IdP signing key cache behavior during key rotation and updated 'login' to 'sign in' terminology
Security assessment
The added note explains cache behavior related to security-critical signing keys, which is security-adjacent documentation. However, there is no evidence of addressing a specific vulnerability or incident.
Diff
diff --git a/cognito/latest/developerguide/open-id.md index 48923b126..f3fb5b876 100644 --- a/cognito/latest/developerguide/open-id.md +++ b/cognito/latest/developerguide/open-id.md @@ -54 +54 @@ You can associate multiple OpenID Connect providers with a single identity pool. -Refer to your provider's documentation for how to login and receive an ID token. +Refer to your provider's documentation for how to sign in and receive an ID token. @@ -69,0 +70,4 @@ As specified here ([https://tools.ietf.org/html/rfc7523](https://tools.ietf.org/ +###### Note + +Identity pools maintain a cache of the OIDC IdP signing key for a brief period. If your provider changes their signing key, Amazon Cognito might return a `NoKeyFound` error until this cache refreshes. If you encounter this error, wait about ten minutes for your identity pool to refresh the signing key. +