Cognito questions

Hello,

I understand that you want to confirm if you can check the tokens on your server side app such as if the token has the correct format, is signed and have the correct claims before the server side app can trust that token to answer the request. Also, is it required to perform the above check on each request.

I can confirm that the verification of the JWT token on your server side app is possible and is actually recommended and a necessary step to ensure that the JWT token which your server is trusting is actually a valid token. The following checks should be performed before trusting a JWT token to provide access to your protected resources:

1. Confirm the structure of the JWT token (i.e. it includes three sections: Header, Payload and Signature)
2. Validate the JWT signature
3. Verify the claims (such as token is not expired (exp), has the correct issuer (iss), etc)

Also, the above JWT check must be performed on each request i.e. each time when your server is taking in the JWT token to answer a request which returns some protected/secured data.

For more details around verifying a JWT token issued by Cognito, please refer the below documentation link: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html

Please note, as JWT token is a standalone entity, hence the verification of the JWT token can be done on your server itself (without interacting with the Cognito service over any endpoint) using any JWT verification library. For example, if using node.js on server, “aws-jwt-verify” library provided on github can be used: https://github.com/awslabs/aws-jwt-verify

Additionally, you can use the following code examples as a reference while implementing this in your server app: https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt