AWS cognito documentation change
Summary
Added footnotes about OIDC/jwks.json updates and updated SAML sign-in reference
Security assessment
Adds documentation about dynamic updates to OIDC configuration and token-signing keys, which are critical for secure token validation. This informs users to handle key rotation but does not address a specific vulnerability.
Diff
diff --git a/cognito/latest/developerguide/federation-endpoints.md b/cognito/latest/developerguide/federation-endpoints.md index a51257366..2dbe44d52 100644 --- a//cognito/latest/developerguide/federation-endpoints.md +++ b//cognito/latest/developerguide/federation-endpoints.md @@ -26,2 +26,2 @@ https://`Your user pool domain`/oauth2/revoke | Revokes a refresh token and the -https://cognito-idp.`Region`.amazonaws.com/`your user pool ID`/.well-known/openid-configuration | A directory of the OIDC architecture of your user pool. | Requested by app to locate user pool issuer metadata. -https://cognito-idp.`Region`.amazonaws.com/`your user pool ID`/.well-known/jwks.json | Public keys that you can use to validate Amazon Cognito tokens. | Requested by app to verify JWTs. +https://cognito-idp.`Region`.amazonaws.com/`your user pool ID`/.well-known/openid-configuration | A directory of the OIDC architecture of your user pool.1 | Requested by app to locate user pool issuer metadata. +https://cognito-idp.`Region`.amazonaws.com/`your user pool ID`/.well-known/jwks.json | Public keys that you can use to validate Amazon Cognito tokens.2 | Requested by app to verify JWTs. @@ -29 +29 @@ https://`Your user pool domain`/oauth2/idpresponse | Social identity providers m -https://`Your user pool domain`/saml2/idpresponse | The Assertion Consumer Response (ACS) URL for integration with SAML 2.0 identity providers. | Redirected from SAML 2.0 IdP as the ACS URL, or the origination point for IdP-initiated sign-in1. +https://`Your user pool domain`/saml2/idpresponse | The Assertion Consumer Response (ACS) URL for integration with SAML 2.0 identity providers. | Redirected from SAML 2.0 IdP as the ACS URL, or the origination point for IdP-initiated sign-in3. @@ -32 +32,5 @@ https://`Your user pool domain`/saml2/logout | The [Single Logout](./cognito-use -1 For more information about IdP-initiated SAML sign-in, see [Implement IdP-initiated SAML sign-in](./cognito-user-pools-SAML-session-initiation.html#cognito-user-pools-SAML-session-initiation-idp-initiation). +1 The `openid-configuration` document might be updated at any time with additional information that keeps the endpoint compliant with the OIDC and OAuth2 specifications. + +2The `jwks.json` JSON file might be updated at any time to with new public token signing keys. + +3 For more information about IdP-initiated SAML sign-in, see [Implement IdP-initiated SAML sign-in](./cognito-user-pools-SAML-session-initiation.html#cognito-user-pools-SAML-session-initiation-idp-initiation).