How to verify JWT from AWS Cognito in the API backend?
Solution 1
Turns out I didn't read the docs right. It's explained here (scroll down to "Using ID Tokens and Access Tokens in your Web APIs").
The API service can download Cognito's secrets and use them to verify received JWT's. Perfect.
Edit
@Groady's comment is on point: but how do you validate the tokens? I'd say use a battle-tested library like jose4j or nimbus (both Java) for that and don't implement the verification from scratch yourself.
Here's an example implementation for Spring Boot using nimbus that got me started when I recently had to implement this in java/dropwizard service.
Solution 2
Here's a way to verify the signature on NodeJS:
var jwt = require('jsonwebtoken');
var jwkToPem = require('jwk-to-pem');
var pem = jwkToPem(jwk);
jwt.verify(token, pem, function(err, decoded) {
console.log(decoded)
});
// Note : You can get jwk from https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
Solution 3
Execute an Authorization Code Grant Flow
Assuming that you:
- have correctly configured a user pool in AWS Cognito, and
-
are able to signup/login and get an access code via:
https://<your-domain>.auth.us-west-2.amazoncognito.com/login?response_type=code&client_id=<your-client-id>&redirect_uri=<your-redirect-uri>
Your browser should redirect to <your-redirect-uri>?code=4dd94e4f-3323-471e-af0f-dc52a8fe98a0
Now you need to pass that code to your back-end and have it request a token for you.
POST https://<your-domain>.auth.us-west-2.amazoncognito.com/oauth2/token
- set your
Authorization
header toBasic
and useusername=<app client id>
andpassword=<app client secret>
per your app client configured in AWS Cognito - set the following in your request body:
grant_type=authorization_code
code=<your-code>
client_id=<your-client-id>
redirect_uri=<your-redirect-uri>
If successful, your back-end should receive a set of base64 encoded tokens.
{
id_token: '...',
access_token: '...',
refresh_token: '...',
expires_in: 3600,
token_type: 'Bearer'
}
Now, according to the documentation, your back-end should validate the JWT signature by:
- Decoding the ID token
- Comparing the local key ID (kid) to the public kid
- Using the public key to verify the signature using your JWT library.
Since AWS Cognito generates two pairs of RSA cryptograpic keys for each user pool, you need to figure out which key was used to encrypt the token.
Here's a NodeJS snippet that demonstrates verifying a JWT.
import jsonwebtoken from 'jsonwebtoken'
import jwkToPem from 'jwk-to-pem'
const jsonWebKeys = [ // from https://cognito-idp.us-west-2.amazonaws.com/<UserPoolId>/.well-known/jwks.json
{
"alg": "RS256",
"e": "AQAB",
"kid": "ABCDEFGHIJKLMNOPabc/1A2B3CZ5x6y7MA56Cy+6ubf=",
"kty": "RSA",
"n": "...",
"use": "sig"
},
{
"alg": "RS256",
"e": "AQAB",
"kid": "XYZAAAAAAAAAAAAAAA/1A2B3CZ5x6y7MA56Cy+6abc=",
"kty": "RSA",
"n": "...",
"use": "sig"
}
]
function validateToken(token) {
const header = decodeTokenHeader(token); // {"kid":"XYZAAAAAAAAAAAAAAA/1A2B3CZ5x6y7MA56Cy+6abc=", "alg": "RS256"}
const jsonWebKey = getJsonWebKeyWithKID(header.kid);
verifyJsonWebTokenSignature(token, jsonWebKey, (err, decodedToken) => {
if (err) {
console.error(err);
} else {
console.log(decodedToken);
}
})
}
function decodeTokenHeader(token) {
const [headerEncoded] = token.split('.');
const buff = new Buffer(headerEncoded, 'base64');
const text = buff.toString('ascii');
return JSON.parse(text);
}
function getJsonWebKeyWithKID(kid) {
for (let jwk of jsonWebKeys) {
if (jwk.kid === kid) {
return jwk;
}
}
return null
}
function verifyJsonWebTokenSignature(token, jsonWebKey, clbk) {
const pem = jwkToPem(jsonWebKey);
jsonwebtoken.verify(token, pem, {algorithms: ['RS256']}, (err, decodedToken) => clbk(err, decodedToken))
}
validateToken('xxxxxxxxx.XXXXXXXX.xxxxxxxx')
Solution 4
Short answer:
You can get the public key for your user pool from the following endpoint:
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
If you successfully decode the token using this public key then the token is valid else it is forged.
Long answer:
After you successfully authenticate via cognito, you get your access and id tokens. Now you want to validate whether this token has been tampered with or not. Traditionally we would send these tokens back to the authentication service (which issued this token at the first place) to check if the token is valid. These systems use symmetric key encryption
algorithms such as HMAC
to encrypt the payload using a secret key and so only this system is capable to tell if this token is valid or not.
Traditional auth JWT token Header:
{
"alg": "HS256",
"typ": "JWT"
}
Note here that encryption algorithm used here is symmetric - HMAC + SHA256
But modern authentication systems like Cognito use asymmetric key encryption
algorithms such as RSA
to encrypt the payload using a pair of public and private key. Payload is encrypted using a private key but can be decoded via public key. Major advantage of using such an algorithm is that we don't have to request a single authentication service to tell if a token is valid or not. Since everyone has access to the public key, anyone can verify validity of token. The load for validation is fairly distributed and there is no single point of failure.
Cognito JWT token header:
{
"kid": "abcdefghijklmnopqrsexample=",
"alg": "RS256"
}
Asymmetric encryption algorithm used in this case - RSA + SHA256
Solution 5
cognito-jwt-verifier is a tiny npm package to verify ID and access JWT tokens obtained from AWS Cognito in your node/Lambda backend with minimal dependencies.
Disclaimer: I'm the author of this. I came up with it because I couldn't find anything checking all the boxes for me:
- minimal dependencies
- framework agnostic
- JWKS (public keys) caching
- test coverage
Usage (see github repo for a more detailed example):
const { verifierFactory } = require('@southlane/cognito-jwt-verifier')
const verifier = verifierFactory({
region: 'us-east-1',
userPoolId: 'us-east-1_PDsy6i0Bf',
appClientId: '5ra91i9p4trq42m2vnjs0pv06q',
tokenType: 'id', // either "access" or "id"
})
const token = 'eyJraWQiOiI0UFFoK0JaVE...' // clipped
try {
const tokenPayload = await verifier.verify(token)
} catch (e) {
// catch error and act accordingly, e.g. throw HTTP 401 error
}
EagleBeak
Updated on November 04, 2021Comments
-
EagleBeak over 2 years
I'm building a system consisting of an Angular2 single page app and a REST API running on ECS. The API runs on .Net/Nancy, but that might well change.
I would like to give Cognito a try and this is how I imagined the authentication workflow:
- SPA signs in user and receives a JWT
- SPA sends JWT to REST API with every request
- REST API verfies that the JWT is authentic
My question is about step 3. How can my server (or rather: my stateless, auto-scaled, load-balanced Docker containers) verify that the token is authentic? Since the "server" hasn't issued the JWT itself, it can't use its own secret (as described in the basic JWT example here).
I have read through the Cognito docs and googled a lot, but I can't find any good guideline about what to do with the JWT on the server side.
-
Will about 7 yearsThe documentation is crap at best. Step 6 says "Verify the signature of the decoded JWT token"... yeah... HOW!?!? According to this this blog post you need to convert the JWK to a PEM. Could they not put how to do this on the official docs?!
-
Nic almost 7 yearsA followup to Groady as I'm going through this. Depending on your library, you shouldn't need to convert to pem. For example, I'm on Elixir, and Joken takes the RSA key map exactly as provided by Amazon. I spent a lot of time spinning my wheels when I thought the key had to be a string.
-
Eric B. about 6 yearsThanks for the example link! Helped a lot to understand how to use the nimbus library. Any ideas, however, if I can extract the remote JWK set to be an external cache? I'd like to put the JWKSet in Elasticache instead.
-
Nirojan Selvanathan almost 6 yearsThanks ,saved my day!
-
redgeoff over 5 yearsThanks for this! There were also a bunch of details that I needed to consider when converting the JWK to a PEM: aws.amazon.com/blogs/mobile/…
-
Nghia almost 5 yearsShould we save the content of JWKs in local configuration for re-use? Is this content expire or become invalid in the future?
-
Jernej Jerin about 4 yearsAwslabs is a good resource even though example implementation is for Lambda. They use
python-jose
to decode and verify JWT. -
dubucha almost 4 years@Nghia "Instead of downloading the JWK Set directly from your Lambda function, you can download it manually once, converting the keys to PEMs and uploading them with your Lambda function." from aws.amazon.com/blogs/mobile/…
-
Zach Saucier over 3 yearsIs
<app client id>
the same as<your-client-id>
? -
Zach Saucier over 3 yearsAnswering my question above: It is but it's not necessary in the body if you are providing a secret in the header.
-
Zach Saucier over 3 years
new Buffer(headerEncoded, 'base64')
should now beBuffer.from(headerEncoded, 'base64')
-
Dale Anderson almost 3 yearsThis is a fantastic answer that saved me a lot of time! I created a working sample that demonstrates the full flow using the token verifier package below. gitlab.com/danderson00/cognito-srp-js
-
Christopher Thomas about 2 yearsA problem that we have identified recently, is that a "valid token" isn't necessarily a valid token. Imagine if you revoke a token. The JWT will still be a valid token. However the token is not valid to use with the service. Just checking the token's validity itself does not help you know whether you can use it or not with AWS Cognito