AWS Security ChangesHomeSearch

AWS cognito documentation change

Service: cognito · 2025-08-28 · Documentation low

File: cognito/latest/developerguide/federation-endpoints.md

Summary

Added footnotes about OIDC/jwks.json updates and updated SAML sign-in reference

Security assessment

Adds documentation about dynamic updates to OIDC configuration and token-signing keys, which are critical for secure token validation. This informs users to handle key rotation but does not address a specific vulnerability.

Diff

diff --git a/cognito/latest/developerguide/federation-endpoints.md b/cognito/latest/developerguide/federation-endpoints.md
index a51257366..2dbe44d52 100644
--- a//cognito/latest/developerguide/federation-endpoints.md
+++ b//cognito/latest/developerguide/federation-endpoints.md
@@ -26,2 +26,2 @@ https://`Your user pool domain`/oauth2/revoke | Revokes a refresh token and the
-https://cognito-idp.`Region`.amazonaws.com/`your user pool ID`/.well-known/openid-configuration | A directory of the OIDC architecture of your user pool. | Requested by app to locate user pool issuer metadata.  
-https://cognito-idp.`Region`.amazonaws.com/`your user pool ID`/.well-known/jwks.json | Public keys that you can use to validate Amazon Cognito tokens. | Requested by app to verify JWTs.  
+https://cognito-idp.`Region`.amazonaws.com/`your user pool ID`/.well-known/openid-configuration | A directory of the OIDC architecture of your user pool.1 | Requested by app to locate user pool issuer metadata.  
+https://cognito-idp.`Region`.amazonaws.com/`your user pool ID`/.well-known/jwks.json | Public keys that you can use to validate Amazon Cognito tokens.2 | Requested by app to verify JWTs.  
@@ -29 +29 @@ https://`Your user pool domain`/oauth2/idpresponse | Social identity providers m
-https://`Your user pool domain`/saml2/idpresponse | The Assertion Consumer Response (ACS) URL for integration with SAML 2.0 identity providers. | Redirected from SAML 2.0 IdP as the ACS URL, or the origination point for IdP-initiated sign-in1.  
+https://`Your user pool domain`/saml2/idpresponse | The Assertion Consumer Response (ACS) URL for integration with SAML 2.0 identity providers. | Redirected from SAML 2.0 IdP as the ACS URL, or the origination point for IdP-initiated sign-in3.  
@@ -32 +32,5 @@ https://`Your user pool domain`/saml2/logout | The [Single Logout](./cognito-use
-1 For more information about IdP-initiated SAML sign-in, see [Implement IdP-initiated SAML sign-in](./cognito-user-pools-SAML-session-initiation.html#cognito-user-pools-SAML-session-initiation-idp-initiation).
+1 The `openid-configuration` document might be updated at any time with additional information that keeps the endpoint compliant with the OIDC and OAuth2 specifications.
+
+2The `jwks.json` JSON file might be updated at any time to with new public token signing keys.
+
+3 For more information about IdP-initiated SAML sign-in, see [Implement IdP-initiated SAML sign-in](./cognito-user-pools-SAML-session-initiation.html#cognito-user-pools-SAML-session-initiation-idp-initiation).