AWS cognito medium security documentation change
Summary
Replaced manual JWT verification example with AWS-recommended aws-jwt-verify library implementation and updated section title
Security assessment
The change replaces a manual JWT verification process (using jsonwebtoken and jwk-to-pem) with an AWS-maintained library, reducing potential security risks from improper implementation. The removal of manual PEM conversion steps addresses potential cryptographic validation vulnerabilities.
Diff
diff --git a/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md b/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md index cf9f04d40..3e463997c 100644 --- a//cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md +++ b//cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md @@ -7 +7 @@ PrerequisitesValidate tokens with aws-jwt-verifyUnderstanding and inspecting tok -# Verifying a JSON Web Token +# Verifying JSON web tokens @@ -90,0 +91,35 @@ The header and payload are base64url-encoded JSON. You can identify them by the +The following example application verifies user pool tokens with `aws-jwt-verify`. + + + // cognito-verify.js + // Usage example: node cognito-verify.js eyJra789ghiEXAMPLE + + const { CognitoJwtVerifier } = require('aws-jwt-verify'); + + // Replace with your Amazon Cognito user pool ID + const userPoolId = 'us-west-2_EXAMPLE'; + + async function verifyJWT(token) { + try { + const verifier = CognitoJwtVerifier.create({ + userPoolId, + tokenUse: 'access', // or 'id' for ID tokens + clientId: '1example23456789, // Optional, only if you need to verify the token audience + }); + + const payload = await verifier.verify(token); + console.log('Decoded JWT:', payload); + } catch (err) { + console.error('Error verifying JWT:', err); + } + } + + // Example usage + if (process.argv.length < 3) { + console.error('Please provide a JWT token as an argument.'); + process.exit(1); + } + + const MyToken = process.argv[2]; + verifyJWT(MyToken); + @@ -169,11 +203,0 @@ The `use` parameter describes the intended use of the public key. For this examp - 3. Use a JWT library to compare the signature of the issuer to the signature in the token. The issuer signature is derived from the public key (the RSA modulus `"n"`) of the `kid` in jwks.json that matches the token `kid`. You might need to convert the JWK to PEM format first. The following example takes the JWT and JWK and uses the Node.js library, [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken), to verify the JWT signature: - -Node.js - - - var jwt = require('jsonwebtoken'); - var jwkToPem = require('jwk-to-pem'); - var pem = jwkToPem(jwk); - jwt.verify(token, pem, { algorithms: ['RS256'] }, function(err, decodedToken) { - }); -