where can I find the secret key for the JWT from cognito

后端 未结 4 1766
天涯浪人
天涯浪人 2021-02-13 20:21

I am trying out the log in function for the Cognito User Pool for my Web App. I was able to obtain the Token but I am not sure where to find the secret to decode it. I\'ve rea

相关标签:
4条回答
  • 2021-02-13 21:04

    To correct the other answer: RS256 is an asymmetric algorithm and requires a public and a private key. Also see RS256 vs HS256: What's the difference? and https://en.wikipedia.org/wiki/RSA_(cryptosystem).

    What is correct is that for verifying the JWT you do not need the private key that was used to sign it, only the public key made available by AWS under https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json.

    0 讨论(0)
  • 2021-02-13 21:05

    AWS uses RS256 algorithm which does not require secret but public key to decode.

    Here you will find JWKS of your pool: https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json (See http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity-user-pools-using-id-and-access-tokens-in-web-api)

    And here is described process of transforming JWK to the public key: https://mobile.awsblog.com/post/Tx3JK25U7Z9EUIU/Integrating-Amazon-Cognito-User-Pools-with-API-Gateway (under section "Understanding the code").

    0 讨论(0)
  • 2021-02-13 21:07

    Just want to summarize this topic with the snippet of code:

    const jwkToPem = require('jwk-to-pem');
    const requestify = require('requestify');
    
    /**
     * Get cognito's secret key
     * @param {String} region
     * @param {String} userPoolId
     * @returns {Promise}
     */
    function getPem(region, userPoolId) {
      const jwkUrl = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
    
      return requestify.request(jwkUrl, { method: 'get', dataType: 'json'})
        .then(res => res.getBody()['keys'].shift())
        .then(jwk => jwkToPem(jwk))
      ;
    }
    
    0 讨论(0)
  • 2021-02-13 21:20

    I was trying to work through all this type of thing as well.

    To that end I put with to examples of how to do this stuff that worked for me

    1) Verifying a JWT token with a 'secret' - aka Issuers RSA public key

    2) Using an Issuers public SSL certificate to verify JWT tokens and other signatures

    0 讨论(0)
提交回复
热议问题