Last active
April 25, 2024 10:09
-
-
Save zoellner/3c8a87007c5b84a9107ee573a0a00b9c to your computer and use it in GitHub Desktop.
node.js script to obtain the thumbprint for a Cognito User Pool to use as OpenID Connect Identity Provider
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const openssl = require('openssl-wrapper'); | |
const axios = require('axios'); | |
const config = { | |
region: 'us-east-1', | |
userPoolId: 'your-user-pool-id' | |
}; | |
getThumbprint() | |
.then(console.log) | |
.catch(console.error); | |
async function getThumbprint() { | |
const oidcUrl = `https://cognito-idp.${config.region}.amazonaws.com/${config.userPoolId}`; | |
const {jwks_uri} = await axios.get(`${oidcUrl}/.well-known/openid-configuration`).then(res => res.data); | |
const parsedJWKS = new URL(jwks_uri); | |
const certResponse = await opensslAsync('s_client', {servername: parsedJWKS.host, showcerts: true, connect: `${parsedJWKS.host}:443`}); | |
const certString = Buffer.from(certResponse).toString(); | |
const begin = certString.lastIndexOf('-----BEGIN CERTIFICATE-----'); | |
const end = certString.lastIndexOf('-----END CERTIFICATE-----') + '-----END CERTIFICATE-----'.length; | |
const cert = certString.slice(begin, end); | |
const fingerprintResponse = await opensslAsync('x509', Buffer.from(cert), {fingerprint: true, noout: true}); | |
const thumbprint = Buffer.from(fingerprintResponse).toString().replace(/^.*Fingerprint=/, '').replace(/:/g, '').trim(); | |
return thumbprint; | |
} |
For those needing this in 2023 this works
const promisify = require('util').promisify;
const openssl = promisify(require('openssl-wrapper').default);
const axios = require('axios');
const config = {
region: 'CHANGE ME',
userPoolId: 'CHANGE ME'
};
getThumbprint()
.then(console.log)
.catch(console.error);
async function getThumbprint() {
const oidcUrl = `https://cognito-idp.${config.region}.amazonaws.com/${config.userPoolId}`;
const { jwks_uri } = await axios.get(`${oidcUrl}/.well-known/openid-configuration`).then(res => res.data);
const parsedJWKS = new URL(jwks_uri);
const certResponse = await openssl('s_client', { servername: parsedJWKS.host, showcerts: true, connect: `${parsedJWKS.host}:443` });
const certString = Buffer.from(certResponse).toString();
const begin = certString.lastIndexOf('-----BEGIN CERTIFICATE-----');
const end = certString.lastIndexOf('-----END CERTIFICATE-----') + '-----END CERTIFICATE-----'.length;
const cert = certString.slice(begin, end);
const fingerprintResponse = await openssl('x509', Buffer.from(cert), { fingerprint: true, noout: true });
const thumbprint = Buffer.from(fingerprintResponse).toString().replace(/^.*Fingerprint=/, '').replace(/:/g, '').trim();
return thumbprint;
}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This follows the flow described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html