Danh mụcThẻBài viết

admin

I'm a Full-stack developer

Thẻ

Linked List
Data Structure
Chat GPT
Design Pattern
Microservices
API
AWS CDK
ReactJS
AWS Lightsail
Flutter Mobile
NodeJS Verify and Decode Cognito JWT Tokens
Ngày đăng: 12/06/2023

In this article, I will show you how to verify and decode the Cognito JWT Tokens token. Before going ahead, we should understand quickly: What is JWT and what does it have?


What is JWT?


 JSON Web Token (JWT) is an open standard used to share security information between two parties — a client and a server.

JWT has 3 parts: Header, Payload, and Signature.

  • Header: contains the type of token and the signing algorithm being used, such as HMAC SHA256 or RSA.
  • Payload: contains the claims (registered, public, and private claims)
  • Signature: is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.


The Cognito JWT is safe?


This token is safe and reliable because the signature that identifies the token generated by Cognito is not from a 3rd party. We use the public key provided by Cognito to verify the token. So there is no way to spoof the signature. It is possible to forge signatures, even stolen credentials, but they cannot forge signatures from Cognito.

  • Public keys: can decrypt the signature
  • Private keys: can decrypt and encrypt signature.


How to get the public key?


To get the public key we can have 2 ways using a web browser or Postman in the URL format below:

https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json


After you send the request, you will get the result as below:

Postman



Web browser




In the results above we see that there are 2 public keys, do you ask the question which public key do we use? So how do we know which key we will use?


First, go to the page JWT


Then you paste your id-token in




After decoding you will see a kid. Find the kid in the public key that matches the kid after deciding. You will use that public key.

Please create a jwks.json file with the required public key content.


How to verify tokens?


First, you need to install the following 2 packages


jsonwebtoken
jwk-to-pem


Next, create a file to verify the token with the name is verify-token.ts


import { NextFunction, Request, Response } from 'express';

import { readFileSync } from 'fs';
import jwt from 'jsonwebtoken';
import jwkToPem from 'jwk-to-pem';
import path from 'path';

const verifyIdToken = async (req: Request, res: Response, next: NextFunction) => {
  try {
    const data = readFileSync(path.resolve(__dirname, 'jwks.json')) as any;

    const authorization = req.headers?.['authorization'] as string;

    if (!authorization) {
      return new BadRequestResponse('Missing token.').send(res);
    }

    const token = authorization.split(' ')[1];

    const pem = jwkToPem(JSON.parse(data));

    const auth = jwt.verify(token, pem, { algorithms: ['RS256'] });

    res.locals.auth = auth;

    return next();
  } catch (error: any) {
    return next(new BadTokenError(error.message));
  }
};


Results when verifying successfully


{
   sub: 'a1f715a3-c758-443a-93ea-9939e4354b6e',
   iss: '',
   phone_number_verified: true,
   'cognito:username': '',
   origin_jti: '0698df1d-5687-46cf-a4ac-d964ed3cc629',
   aud: '',
   event_id: 'cf9115a3-0d8a-43c6-82f9-f2e7f6ef2853',
   token_use: 'id',
   auth_time: 1671875444,
   phone_number: '',
   exp: 1671879043,
   iat: 1671875444,
   jti: 'b453e27e-2086-45f0-bd3d-35542ab4e0cb'
}


Hope this article will be of help to you. Good luck!

Đề xuất

How to integrate ChatGPT-3.5 Turbo into Node.js
admin10/01/2024

How to integrate ChatGPT-3.5 Turbo into Node.js
Step-by-Step Guide to Incorporating ChatGPT-3.5 Turbo into Node.js for Basic ReactJS Applications
TypeScript Design Pattern - Prototype
admin07/08/2023

TypeScript Design Pattern - Prototype
The prototype pattern is one of the Creational pattern groups. The responsibility is to create a new object through clone the existing object instead of using the new key. The new object is the same as the original object, and we can change its property does not impact the original object.
TypeScript Design Pattern - Adapter
admin08/08/2023

TypeScript Design Pattern - Adapter
This design pattern acts as a bridge between two different interfaces.
Mới nhất

Writing a Data Transformation Pipeline Using Go
admin20/03/2024

Writing a Data Transformation Pipeline Using Go
In this article, I will show how to implement data processing using the Go programing language with a simple tutorial.
JOI - API schema validation
admin12/06/2023

JOI - API schema validation
Data validation is one of topics that I am interesting. I always review my code after developed features or fixed bugs. There are many places where need to validate data, it is really terrible. Some cases, we need to validate data input because ensure the data into API, it will not make any problems to crash system.
NodeJS Verify and Decode Cognito JWT Tokens
admin12/06/2023

NodeJS Verify and Decode Cognito JWT Tokens
In this article, I will show you how to verify and decode the Cognito JWT Tokens token.
Đinh Thành Công Blog

My website, where I write blogs on a variety of topics and where I have some experiments with new technologies.

hotlinelinkedinskypezalofacebook
DMCA.com Protection Status
Góp ý
Họ & Tên
Số điện thoại
Email
Nội dung
Tải ứng dụng
hotline

copyright © 2023 - AGAPIFA

Privacy
Term
About