AWS Security ChangesHomeSearch

AWS cognito medium security documentation change

Service: cognito · 2025-04-16 · Security-related medium

File: cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md

Summary

Replaced manual JWT verification example with AWS-recommended aws-jwt-verify library implementation and updated section title

Security assessment

The change replaces a manual JWT verification process (using jsonwebtoken and jwk-to-pem) with an AWS-maintained library, reducing potential security risks from improper implementation. The removal of manual PEM conversion steps addresses potential cryptographic validation vulnerabilities.

Diff

diff --git a/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md b/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md
index cf9f04d40..3e463997c 100644
--- a//cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md
+++ b//cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.md
@@ -7 +7 @@ PrerequisitesValidate tokens with aws-jwt-verifyUnderstanding and inspecting tok
-# Verifying a JSON Web Token
+# Verifying JSON web tokens
@@ -90,0 +91,35 @@ The header and payload are base64url-encoded JSON. You can identify them by the
+The following example application verifies user pool tokens with `aws-jwt-verify`.
+    
+    
+    // cognito-verify.js
+    // Usage example: node cognito-verify.js eyJra789ghiEXAMPLE
+    
+    const { CognitoJwtVerifier } = require('aws-jwt-verify');
+    
+    // Replace with your Amazon Cognito user pool ID
+    const userPoolId = 'us-west-2_EXAMPLE';
+    
+    async function verifyJWT(token) {
+      try {
+        const verifier = CognitoJwtVerifier.create({
+          userPoolId,
+          tokenUse: 'access', // or 'id' for ID tokens
+          clientId: '1example23456789, // Optional, only if you need to verify the token audience
+        });
+    
+        const payload = await verifier.verify(token);
+        console.log('Decoded JWT:', payload);
+      } catch (err) {
+        console.error('Error verifying JWT:', err);
+      }
+    }
+    
+    // Example usage
+    if (process.argv.length < 3) {
+      console.error('Please provide a JWT token as an argument.');
+      process.exit(1);
+    }
+    
+    const MyToken = process.argv[2];
+    verifyJWT(MyToken);
+
@@ -169,11 +203,0 @@ The `use` parameter describes the intended use of the public key. For this examp
-  3. Use a JWT library to compare the signature of the issuer to the signature in the token. The issuer signature is derived from the public key (the RSA modulus `"n"`) of the `kid` in jwks.json that matches the token `kid`. You might need to convert the JWK to PEM format first. The following example takes the JWT and JWK and uses the Node.js library, [jsonwebtoken](https://github.com/auth0/node-jsonwebtoken), to verify the JWT signature:
-
-Node.js
-    
-    
-        var jwt = require('jsonwebtoken');
-    var jwkToPem = require('jwk-to-pem');
-    var pem = jwkToPem(jwk);
-    jwt.verify(token, pem, { algorithms: ['RS256'] }, function(err, decodedToken) {
-    });
-