By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cognito questions

0

Hi guys,

I've working with Amazon Cognito and I've a doubt, for example: if I've working with a server side applications (Authorization Code Grant Flow) and a user logged in the app, then Cognito send him an id token and access token. With these tokens the app can access to some resources, but here is my question: Can we check the tokens in my server side app, that is, can we check if the token if correctly formed, signed an have the correct claims before the server side app answer the request ?, and have we to do all of this for each request ?, thanks in advance !

Greetings.

Topics
Security, Identity, & Compliance
Tags
Amazon Cognito
Language
English
AWS-User-3108276
asked 2 years ago362 views
1 Answer
1
Accepted Answer

Hello,

I understand that you want to confirm if you can check the tokens on your server side app such as if the token has the correct format, is signed and have the correct claims before the server side app can trust that token to answer the request. Also, is it required to perform the above check on each request.

I can confirm that the verification of the JWT token on your server side app is possible and is actually recommended and a necessary step to ensure that the JWT token which your server is trusting is actually a valid token. The following checks should be performed before trusting a JWT token to provide access to your protected resources:

  1. Confirm the structure of the JWT token (i.e. it includes three sections: Header, Payload and Signature)
  2. Validate the JWT signature
  3. Verify the claims (such as token is not expired (exp), has the correct issuer (iss), etc)

Also, the above JWT check must be performed on each request i.e. each time when your server is taking in the JWT token to answer a request which returns some protected/secured data.

For more details around verifying a JWT token issued by Cognito, please refer the below documentation link: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html

Please note, as JWT token is a standalone entity, hence the verification of the JWT token can be done on your server itself (without interacting with the Cognito service over any endpoint) using any JWT verification library. For example, if using node.js on server, “aws-jwt-verify” library provided on github can be used: https://github.com/awslabs/aws-jwt-verify

Additionally, you can use the following code examples as a reference while implementing this in your server app: https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt

AWS
SUPPORT ENGINEER
Gurjot_S
answered 2 years ago
  • AWS-User-3108276
    2 years ago

    Ok Gurjot_s, it's just a reply that I need it, I 'll follow your recomenations about checking the tokens, now I understand better this matter. Of course I check your links too, Thank you very much !

    Greetings.

  • AWS-User-3108276
    2 years ago

    Hi Gurjot,

    I' m wordering if we should check the tokens in the front-end application also, what do you think about ?, I suppose is not necessary, but I prefer asking the question, thanks again !

    Greetings.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content