How do I validate a jwt token that I got from Cognito

Question

I have a jwt token that I have retrieved from cognito after my user logs in.

I have a specific api end point in my application and I want only users with a valid jwt to be able to access this end point. I tried looking at various resources on the web but I couldn't understand anything. I am new to the jwt concept.

PS I have a Java application (spring boot ). I would really appreciate if someone would describe in detail the steps that i need to follow to verify my jwt. Please provide the code if possible.

@CrossOrigin
@RequestMapping(value= "/login", method=RequestMethod.POST,consumes="application/json")
@ResponseBody
public String authenticate(@RequestBody SignInDTO signInDetails)
{
    //boolean isAuthenticated=false;
        CognitoHelper cognitoHelper=new CognitoHelper();
        String authResult=cognitoHelper.ValidateUser(signInDetails.getEmailId(), signInDetails.getPassword());
.....
.....
.....

authResult is the jwt that i get from cognito. After this I am completely clueless about what needs to be done.

Answer 1

Spring Security 5.1 introduced support for this so it's much easier to implement. See https://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html#oauth2resourceserver

Basically:

1. Add dependencies as described in https://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html#dependencies
2. Add yml config as described at https://docs.spring.io/spring-security/site/docs/current/reference/html5/#oauth2resourceserver-jwt-minimalconfiguration . For cognito use following url: https://cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>
3. You would probably need to edit you security config as described at https://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html#oauth2resourceserver-sansboot

Answer 2

Use a library like java-jwt (I guess you are using Maven)

<dependency>
    <groupId>com.auth0</groupId>
    <artifactId>java-jwt</artifactId>
    <version>3.3.0</version>
</dependency>

Then:

String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE";
try {
    Algorithm algorithm = Algorithm.HMAC256("secret");
    // or
    Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
    JWTVerifier verifier = JWT.require(algorithm)
        .withIssuer("auth0")
        .build(); //Reusable verifier instance
    DecodedJWT jwt = verifier.verify(token);
} catch (UnsupportedEncodingException exception){
    //UTF-8 encoding not supported
} catch (JWTVerificationException exception){
    //Invalid signature/claims
}

You can manually decode a jwt-token here: https://jwt.io
More info about java-jwt here: https://github.com/auth0/java-jwt

Answer 3

Step 1: Confirm the Structure of the JWT

Step 2: Validate the JWT Signature

Step 3: Verify the Claims

Goto https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html for more information.

Answer 4

For the bare minimum, you need the spring-boot-starter-oauth2-resource-server and the spring-boot-starter-security dependencies. You may also need spring-security-oauth2-jose dependency.

You then need to set the issuer Uri in your properties or yml file. You can find this in your access token payload as the "iss" value. spring.security.oauth2.resourceserver.jwt.issuer-uri:

Using curl to test

curl -o /dev/null -s -w "%{http_code}\n" -H "Authorization: Bearer ey..." http://localhost:8080/hello

Answer 5

Here's how to verify the token (It's written in Kotlin).

Here's where the key resides:

https://cognito-idp .$regionName.amazonaws.com/$cognitoUserPoolId/.well-known/jwks.json

I've implemented a bunch of it here: https://github.com/awslabs/cognito-proxy-rest-service