- Newest
- Most votes
- Most comments
Hello,
I understand that you want to confirm if you can check the tokens on your server side app such as if the token has the correct format, is signed and have the correct claims before the server side app can trust that token to answer the request. Also, is it required to perform the above check on each request.
I can confirm that the verification of the JWT token on your server side app is possible and is actually recommended and a necessary step to ensure that the JWT token which your server is trusting is actually a valid token. The following checks should be performed before trusting a JWT token to provide access to your protected resources:
- Confirm the structure of the JWT token (i.e. it includes three sections: Header, Payload and Signature)
- Validate the JWT signature
- Verify the claims (such as token is not expired (exp), has the correct issuer (iss), etc)
Also, the above JWT check must be performed on each request i.e. each time when your server is taking in the JWT token to answer a request which returns some protected/secured data.
For more details around verifying a JWT token issued by Cognito, please refer the below documentation link: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html
Please note, as JWT token is a standalone entity, hence the verification of the JWT token can be done on your server itself (without interacting with the Cognito service over any endpoint) using any JWT verification library. For example, if using node.js on server, “aws-jwt-verify” library provided on github can be used: https://github.com/awslabs/aws-jwt-verify
Additionally, you can use the following code examples as a reference while implementing this in your server app: https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt
Relevant content
- asked 2 years ago
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Ok Gurjot_s, it's just a reply that I need it, I 'll follow your recomenations about checking the tokens, now I understand better this matter. Of course I check your links too, Thank you very much !
Greetings.
Hi Gurjot,
I' m wordering if we should check the tokens in the front-end application also, what do you think about ?, I suppose is not necessary, but I prefer asking the question, thanks again !
Greetings.