How to verify JWT from AWS Cognito in the API backend?

EagleBeak picture EagleBeak · Oct 28, 2016 · Viewed 43.3k times · Source

I'm building a system consisting of an Angular2 single page app and a REST API running on ECS. The API runs on .Net/Nancy, but that might well change.

I would like to give Cognito a try and this is how I imagined the authentication workflow:

  1. SPA signs in user and receives a JWT
  2. SPA sends JWT to REST API with every request
  3. REST API verfies that the JWT is authentic

My question is about step 3. How can my server (or rather: my stateless, auto-scaled, load-balanced Docker containers) verify that the token is authentic? Since the "server" hasn't issued the JWT itself, it can't use its own secret (as described in the basic JWT example here).

I have read through the Cognito docs and googled a lot, but I can't find any good guideline about what to do with the JWT on the server side.

Answer

EagleBeak picture EagleBeak · Oct 30, 2016

Turns out I didn't read the docs right. It's explained here (scroll down to "Using ID Tokens and Access Tokens in your Web APIs").

The API service can download Cognito's secrets and use them to verify received JWT's. Perfect.

Edit

@Groady's comment is on point: but how do you validate the tokens? I'd say use a battle-tested library like jose4j or nimbus (both Java) for that and don't implement the verification from scratch yourself.

Here's an example implementation for Spring Boot using nimbus that got me started when I recently had to implement this in java/dropwizard service.