AWS API Gateway可以从任何Internet可访问的位置获取JWKS Uri。其中常见的来源为AWS Certificate Manager和外部身份验证提供商。

以下是通过AWS Certificate Manager获取JWKS Uri的示例代码：

# 创建证书
aws acm request-certificate --domain-name mydomain.example.com --validation-method DNS

# 等待证书验证并获取ARN
aws acm describe-certificate --certificate-arn arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012
{
    "Certificate": {
        "CertificateArn": "arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012",
        "DomainName": "mydomain.example.com",
        "ValidationMethod": "DNS",
        "Status": "PENDING_VALIDATION",
        "DomainValidationOptions": [
            {
                "ValidationDomain": "example.com",
                "ValidationStatus": "PENDING_VALIDATION",
                "ResourceRecord": {
                    "Name": "_be1b57f264d3bfc6d811f5113014a070.example.com",
                    "Type": "CNAME",
                    "Value": "_a41d5d13d708537983cc8e90e17f2586.wqs2k3vem7.acm-validations.aws."
                }
            }
        ],
        "CreatedAt": "2021-06-24T10:23:49.164000+00:00",
        "IssuedAt": "2021-06-24T10:28:49.819000+00:00",
        "Issuer": "Amazon",
        "Subject": "mydomain.example.com",
        "NotBefore": "2021-06-24T10:28:49.819000+00:00",
        "NotAfter": "2022-06-24T10:28:49.819000+00:00",
        "KeyAlgorithm": "RSA_2048",
        "SignatureAlgorithm": "SHA256WITHRSA",
        "InUseBy": [],
        "NotAfterTime": 1656154129.819,
        "SubjectAlternativeNames": []
    }
}

# 获取证书的JWK Set URI
aws acm get-certificate --certificate-arn arn:aws:acm:us-west-2:123456789012:certificate/12345678-1234-1234-1234-123456789012 --query 'Certificate.CertificateChain' | openssl x509 -