how to verify the signature of a jwt generated by aws cognito in python 3.6?

biglephant

I am trying to verify the signature of a jwt generated by aws cognito in python 3.6. I have the following code:import jwtimport requestsimport jsonimport base64import timeimport urllib.requestdef lambda_handler(event, context): # TODO implementprint(event)token = event['token']print(token)jwks_url = 'https://cognito-idp.{}/.well-known/jwks.json'format(event['region'])issuer_url = 'https://cognito-idp.{}/'format(event['region'])user_pool_id = event['userPoolId']headers = {'Content-Type': 'application/json','Accept': 'application/json'}req = urllib.request.Request(jwks_url, headers=headers)with urllib.request.urlopen(req) as f: jwks = json.loads(f.read().decode('utf-8'))unverified_header = jwt.get_unverified_header(token)kid = unverified_header['kid']# search for the kid in

Virgil643

Assuming you have the following:

-The JWT token
-The public certificate of the provider

you can use the jwt package to validate the signature. Install it with pip install jwt.

Once you have the package installed, you can validate the token with the jwt.decode() function. It takes three arguments: the token, the key used to sign it (in this case, the provider's public certificate), and an algorithm. The last argument is optional, but I recommend specifying it anyway because otherwise the function defaults to using the insecure HS256 algorithm. For AWS Cognito, you should use RS256.

Putting it all together, the code would look something like this:

import jwt

token = 'your-token-here'
key = 'your-provider-public-certificate-here'

decoded = jwt.decode(token, key, algorithms=['RS256'])

If the token is valid, decoded will be a dictionary containing the claims made in the token. If the token is invalid, jwt.decode() will raise an InvalidSignatureError exception.

For more information, see the jwt package documentation: https://jwt.io/

melinda_anderson

To verify the signature of a JWT generated by AWS Cognito, you will need to:

Retrieve the public key from AWS Cognito
Use the public key to verify the signature of the JWT

The process for retrieving the public key from AWS Cognito will vary depending on which region you are using. However, once you have retrieved the public key, you can use any standard JWT library to verify the signature of the JWT.

Below is an example of how to verify the signature of a JWT using the Pythoncryptography library:

import jwt
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization

Retrieve the public key from AWS Cognito

public_key = '...'

Verify the signature of the JWT

jwt.decode(token, public_key, algorithms=['RS256'], backend=default_backend())