cognito-jwt-verifier

cognito-jwt-verifier

Verifies and decodes an AWS Cognito JWT token.

Warning AWS now supports their own library for this purpose. You likely want to use it instead:

aws-jwt-verify

Installation

yarn add cognito-jwt-verifier

npm install cognito-jwt-verifier

Usage

Simple example:

import CognitoJwtVerifier from "cognito-jwt-verifier";
const verifier = new CognitoJwtVerifier();

verifier.verifyToken({
	token: 'AwsCognitoToken',
	aws_region: 'us-east-1',
	userpool_id: 'AwsUserpoolId',
	userpool_client_id: 'AwsUserpoolClientId'
}).then((decoded_token)=>{
	// Token is valid
	console.log(decoded_token);
}).catch((err)=>{
	// Token is invalid or another error occurred
	console.error(err)
});

What it does

This package is based on information from the following AWS documentation: https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/

It performs the following tasks:

• Reads the kid(key ID) from the token header, and uses it to retrieve the correct public key from AWS.
• Uses the public key and the token to verify the token signature, using jsonwebtoken.
• Checks that the token expiry timestamp is still a time in the future.
• Checks that the aud token property matches the ID of the intended AWS userpool client.

If you believe there may be a security flaws in this implementation, please open an issue ASAP.

API

CognitoJwtVerifier

verifyToken({ token, aws_region, userpool_id, userpool_client_id })

• token (string) - The AWS Cognito token to be verified.
• aws_region (string) - The AWS region the userpool is located in.
• userpool_id (string) - The ID of the userpool to be verified against.
• userpool_client_id (string) - The ID of the userpool client to be verified against.

returns a promise:

• Resolves with: (Object) The decoded JWT token.

Project Links

• NPM
• GitHub

Author

Travis Wimer

• Developer Portfolio
• Blog
• LinkedIn
• Twitter
• cognito-jwt-verifier Portfolio Page

License

MIT. Copyright © 2022 Travis Wimer