I have a jwt token that I have retrieved from cognito after my user logs in.
I have a specific api end point in my application and I want only users with a valid jwt to be able to access this end point. I tried looking at various resources on the web but I couldn't understand anything. I am new to the jwt concept.
PS I have a Java application (spring boot ). I would really appreciate if someone would describe in detail the steps that i need to follow to verify my jwt. Please provide the code if possible.
@CrossOrigin
@RequestMapping(value= "/login", method=RequestMethod.POST,consumes="application/json")
@ResponseBody
public String authenticate(@RequestBody SignInDTO signInDetails)
{
//boolean isAuthenticated=false;
CognitoHelper cognitoHelper=new CognitoHelper();
String authResult=cognitoHelper.ValidateUser(signInDetails.getEmailId(), signInDetails.getPassword());
.....
.....
.....
authResult is the jwt that i get from cognito. After this I am completely clueless about what needs to be done.
Spring Security 5.1 introduced support for this so it's much easier to implement. See https://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html#oauth2resourceserver
Basically:
https://cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>
Use a library like java-jwt
(I guess you are using Maven)
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.3.0</version>
</dependency>
Then:
String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE";
try {
Algorithm algorithm = Algorithm.HMAC256("secret");
// or
Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer("auth0")
.build(); //Reusable verifier instance
DecodedJWT jwt = verifier.verify(token);
} catch (UnsupportedEncodingException exception){
//UTF-8 encoding not supported
} catch (JWTVerificationException exception){
//Invalid signature/claims
}
You can manually decode a jwt-token
here: https://jwt.io
More info about java-jwt
here: https://github.com/auth0/java-jwt
Step 1: Confirm the Structure of the JWT
Step 2: Validate the JWT Signature
Step 3: Verify the Claims
Goto https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html for more information.
For the bare minimum, you need the spring-boot-starter-oauth2-resource-server and the spring-boot-starter-security dependencies. You may also need spring-security-oauth2-jose
dependency.
You then need to set the issuer Uri in your properties or yml file. You can find this in your access token payload as the "iss" value. spring.security.oauth2.resourceserver.jwt.issuer-uri:
Using curl to test
curl -o /dev/null -s -w "%{http_code}\n" -H "Authorization: Bearer ey..." http://localhost:8080/hello
Here's how to verify the token (It's written in Kotlin).
Here's where the key resides:
https://cognito-idp .$regionName.amazonaws.com/$cognitoUserPoolId/.well-known/jwks.json
I've implemented a bunch of it here: https://github.com/awslabs/cognito-proxy-rest-service
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.