CategoryTagArticle

admin

I'm a Full-stack developer
Tag
Linked List
Data Structure
Chat GPT
Design Pattern
Microservices
API
AWS CDK
ReactJS
AWS Lightsail
Flutter Mobile
NodeJS Verify and Decode Cognito JWT Tokens
Published date: 12/06/2023

In this article, I will show you how to verify and decode the Cognito JWT Tokens token. Before going ahead, we should understand quickly: What is JWT and what does it have?


What is JWT?


 JSON Web Token (JWT) is an open standard used to share security information between two parties — a client and a server.

JWT has 3 parts: Header, Payload, and Signature.

  • Header: contains the type of token and the signing algorithm being used, such as HMAC SHA256 or RSA.
  • Payload: contains the claims (registered, public, and private claims)
  • Signature: is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.


The Cognito JWT is safe?


This token is safe and reliable because the signature that identifies the token generated by Cognito is not from a 3rd party. We use the public key provided by Cognito to verify the token. So there is no way to spoof the signature. It is possible to forge signatures, even stolen credentials, but they cannot forge signatures from Cognito.

  • Public keys: can decrypt the signature
  • Private keys: can decrypt and encrypt signature.


How to get the public key?


To get the public key we can have 2 ways using a web browser or Postman in the URL format below:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json


After you send the request, you will get the result as below:

Postman



Web browser




In the results above we see that there are 2 public keys, do you ask the question which public key do we use? So how do we know which key we will use?


First, go to the page JWT


Then you paste your id-token in




After decoding you will see a kid. Find the kid in the public key that matches the kid after deciding. You will use that public key.

Please create a jwks.json file with the required public key content.


How to verify tokens?


First, you need to install the following 2 packages


jsonwebtoken
jwk-to-pem


Next, create a file to verify the token with the name is verify-token.ts


import { NextFunction, Request, Response } from 'express';

import { readFileSync } from 'fs';
import jwt from 'jsonwebtoken';
import jwkToPem from 'jwk-to-pem';
import path from 'path';

const verifyIdToken = async (req: Request, res: Response, next: NextFunction) => {
  try {
    const data = readFileSync(path.resolve(__dirname, 'jwks.json')) as any;

    const authorization = req.headers?.['authorization'] as string;

    if (!authorization) {
      return new BadRequestResponse('Missing token.').send(res);
    }

    const token = authorization.split(' ')[1];

    const pem = jwkToPem(JSON.parse(data));

    const auth = jwt.verify(token, pem, { algorithms: ['RS256'] });

    res.locals.auth = auth;

    return next();
  } catch (error: any) {
    return next(new BadTokenError(error.message));
  }
};


Results when verifying successfully


{
   sub: 'a1f715a3-c758-443a-93ea-9939e4354b6e',
   iss: '',
   phone_number_verified: true,
   'cognito:username': '',
   origin_jti: '0698df1d-5687-46cf-a4ac-d964ed3cc629',
   aud: '',
   event_id: 'cf9115a3-0d8a-43c6-82f9-f2e7f6ef2853',
   token_use: 'id',
   auth_time: 1671875444,
   phone_number: '',
   exp: 1671879043,
   iat: 1671875444,
   jti: 'b453e27e-2086-45f0-bd3d-35542ab4e0cb'
}


Hope this article will be of help to you. Good luck!

Recommend
TypeScript Design Pattern - Singleton
admin07/08/2023
TypeScript Design Pattern - Singleton
The singleton ensures only a single install is created in a class and provides a method to access this instance everywhere in a codebase.
JOI - API schema validation
admin12/06/2023
JOI - API schema validation
Data validation is one of topics that I am interesting. I always review my code after developed features or fixed bugs. There are many places where need to validate data, it is really terrible. Some cases, we need to validate data input because ensure the data into API, it will not make any problems to crash system.
Data structure: Doubly Linked List
admin07/04/2024
Data structure: Doubly Linked List
In this article, I would like to show you about Data structure - Doubly Linked List
Newest
TypeScript Design Pattern - Bridge
admin08/08/2023
TypeScript Design Pattern - Bridge
Decouple an abstraction from its implementation so that the two can vary independently.
Part 4: Creating Static Home Page on Ghost CMS
admin17/06/2023
Part 4: Creating Static Home Page on Ghost CMS
I believe that many of you are asking the question: How to fix the home page of Ghost CMS as desired? and are struggling to find many different sources of documentation.
Đinh Thành Công Blog

My website, where I write blogs on a variety of topics and where I have some experiments with new technologies.

hotlinelinkedinskypezalofacebook
DMCA.com Protection Status
Feedback
Name
Phone number
Email
Content
Download app
hotline

copyright © 2023 - AGAPIFA

Privacy
Term
About