Danh mụcThẻBài viết

admin

I'm a Full-stack developer
Thẻ
Linked List
Data Structure
Chat GPT
Design Pattern
Microservices
API
AWS CDK
ReactJS
AWS Lightsail
Flutter Mobile
NodeJS Verify and Decode Cognito JWT Tokens
Ngày đăng: 12/06/2023

In this article, I will show you how to verify and decode the Cognito JWT Tokens token. Before going ahead, we should understand quickly: What is JWT and what does it have?


What is JWT?


 JSON Web Token (JWT) is an open standard used to share security information between two parties — a client and a server.

JWT has 3 parts: Header, Payload, and Signature.

  • Header: contains the type of token and the signing algorithm being used, such as HMAC SHA256 or RSA.
  • Payload: contains the claims (registered, public, and private claims)
  • Signature: is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.


The Cognito JWT is safe?


This token is safe and reliable because the signature that identifies the token generated by Cognito is not from a 3rd party. We use the public key provided by Cognito to verify the token. So there is no way to spoof the signature. It is possible to forge signatures, even stolen credentials, but they cannot forge signatures from Cognito.

  • Public keys: can decrypt the signature
  • Private keys: can decrypt and encrypt signature.


How to get the public key?


To get the public key we can have 2 ways using a web browser or Postman in the URL format below:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json


After you send the request, you will get the result as below:

Postman



Web browser




In the results above we see that there are 2 public keys, do you ask the question which public key do we use? So how do we know which key we will use?


First, go to the page JWT


Then you paste your id-token in




After decoding you will see a kid. Find the kid in the public key that matches the kid after deciding. You will use that public key.

Please create a jwks.json file with the required public key content.


How to verify tokens?


First, you need to install the following 2 packages


jsonwebtoken
jwk-to-pem


Next, create a file to verify the token with the name is verify-token.ts


import { NextFunction, Request, Response } from 'express';

import { readFileSync } from 'fs';
import jwt from 'jsonwebtoken';
import jwkToPem from 'jwk-to-pem';
import path from 'path';

const verifyIdToken = async (req: Request, res: Response, next: NextFunction) => {
  try {
    const data = readFileSync(path.resolve(__dirname, 'jwks.json')) as any;

    const authorization = req.headers?.['authorization'] as string;

    if (!authorization) {
      return new BadRequestResponse('Missing token.').send(res);
    }

    const token = authorization.split(' ')[1];

    const pem = jwkToPem(JSON.parse(data));

    const auth = jwt.verify(token, pem, { algorithms: ['RS256'] });

    res.locals.auth = auth;

    return next();
  } catch (error: any) {
    return next(new BadTokenError(error.message));
  }
};


Results when verifying successfully


{
   sub: 'a1f715a3-c758-443a-93ea-9939e4354b6e',
   iss: '',
   phone_number_verified: true,
   'cognito:username': '',
   origin_jti: '0698df1d-5687-46cf-a4ac-d964ed3cc629',
   aud: '',
   event_id: 'cf9115a3-0d8a-43c6-82f9-f2e7f6ef2853',
   token_use: 'id',
   auth_time: 1671875444,
   phone_number: '',
   exp: 1671879043,
   iat: 1671875444,
   jti: 'b453e27e-2086-45f0-bd3d-35542ab4e0cb'
}


Hope this article will be of help to you. Good luck!

Đề xuất
Part 2: Setup Custom Domain Zone + SSL for Ghost on AWS Lightsail
admin17/06/2023
Part 2: Setup Custom Domain Zone + SSL for Ghost on AWS Lightsail
In this section, I will continue to show you how to point Ghost Instance Static IP to your domain.
Difference Between Stack and Queue
admin07/04/2024
Difference Between Stack and Queue
In the fundamental data structure, besides the linked list, the stack and queue are also used widely in computer science and programming.
How to secure your API gateway
admin17/04/2024
How to secure your API gateway
In this blog, I will cover the 6 methods that technology leaders need to incorporate to secure and protect APIs.
Mới nhất
Create Project with Express + TypeScript + ESLint + Auto Reload
admin12/06/2023
Create Project with Express + TypeScript + ESLint + Auto Reload
In this article, I introduce to you how to initialize an Express + TypeScript project.
Difference Between Stack and Queue
admin07/04/2024
Difference Between Stack and Queue
In the fundamental data structure, besides the linked list, the stack and queue are also used widely in computer science and programming.
TypeScript Design Pattern - Prototype
admin07/08/2023
TypeScript Design Pattern - Prototype
The prototype pattern is one of the Creational pattern groups. The responsibility is to create a new object through clone the existing object instead of using the new key. The new object is the same as the original object, and we can change its property does not impact the original object.
Đinh Thành Công Blog

My website, where I write blogs on a variety of topics and where I have some experiments with new technologies.

hotlinelinkedinskypezalofacebook
DMCA.com Protection Status
Góp ý
Họ & Tên
Số điện thoại
Email
Nội dung
Tải ứng dụng
hotline

copyright © 2023 - AGAPIFA

Privacy
Term
About