stackoom
  简体   繁体   中英

AWS Cognito - verify token using JWT vs cognito.getUser SDK

 原文  2020-07-28 12:49:20       amazon-web-services/ jwt/ amazon-cognito

Question

I am using the following doc by AWS for verifying the incoming token with Cognito to verify the user in cognito pool: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html

Now I also need to verify one of the custom attributes (email) of that user. (Basically this is to mitigate a case where some user can change their email-id in the API payload to access someone else's details).

The Cognito SDK I found to do this was this: https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html

It works just fine, however this led me to a question: Since I'm sending access token in this SDK, do I need to use the former jwt-based token verification as well? Because this SDK also handles the case where token is invalid/expired and sends error codes accordingly. Is there something I'm missing which the former case handles and the latter one doesn't?

1 answers

solution1
 2 ACCPTED  2020-07-28 13:33:39

Short answer: no, you can ignore the contents of the JWT.

Longer answer: JWT tokens provide a fast way to verify that a user has been authenticated, without the need to check a database or external service. This can be very important in a high-volume application.

However, they have several limitations:

  • A JWT token is issued with an expiration timestamp. If you rely on the JWT, you do not have a way to forcibly log-out a user until that timestamp expires.
  • To be secure, your JWT token must be signed using an asymmetric keypair (I mention this simply because a lot of people have implemented their own identity servers incorrectly; Cognito does it right).
  • The claims that are in the token (and are signed by the identity server) may not be sufficient for your needs. Best practice is to minimize the size of the token, and iirc Cognito follows this practice by only including the user attributes that are directly tied to authentication.

If any of these limitations apply to a particular use-case (and it sounds like the third applies to you), then you'll have to make that external service call to the identity server. And if you do that, and the server reports authentication status, then there's no need to pay attention to the token.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Cognito how to query for the JWT Token after receiving an authorization code AWS Cognito: Add custom claim/attribute to JWT access token AWS Cognito: Verify deletion of user AWS Cognito - AdminInitiateAuth vs InitiateAuth Cognito jwt token validation throwing 400 error AWS Cognito JWT authentication works with the ID Token, but not the Access Token? Returns 401 How to Pass Cognito JWT Token in HttpInteceptor in Angular AWS Cognito + API Gateway + Calling Cognito Token Endpoint AWS PHP SDK Cognito User Auth Set AWS Cognito access token timeout manually
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM