node.js - Verifying AWS Cognito JWT IDToken against a JWK Set with njwt -
i'm trying figure out how verify user's idtoken obtained aws cognito identity authenticateuser call.
following steps found here:https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity-user-pools-using-id-and-access-tokens-in-web-api able point have user's id token , i've decoded header , body.
given idtoken header , body like:
header:
{ typ: 'jwt', alg: 'rs256', kid: '...' } body:
{ sub: 'abcd...', aud: 'abcdefg...', email_verified: true, token_use: 'id', auth_time: 1491491773, iss: 'https://cognito-idp.us-east-1.amazonaws.com/us-east-...', 'cognito:username': 'username', exp: 1491495373, iat: 1491491773, email: 'user@email.com' } then third part of idtoken signature:
't6tjq...' // big long encoded string the part i'm stuck on verifying signature against signing key. can't seem part working. right i'm trying use njwt node module found here: https://www.npmjs.com/package/njwt.
given idtoken 3 part . separated base64 encoded string, , secretkey following javascript object:
{ alg: 'rs256', e: '...', kid: '...', // matches kid of idtoken kty: 'rsa', n: 'abcdefg...', // appears big long encoded string use: 'sig' } this i've tried njwt node module:
njwt.verify(idtoken, secretkey, 'rs256', function(err, verifiedjwt) { if (err) { console.log(err); } else { console.log('verified'); } }); when try way get:
typeerror: not buffer @ verify.verify (crypto.js:426:24) @ .../node_modules/njwt/index.js:406:10 @ verifier.defaultkeyresolver (.../node_modules/njwt/index.js:72:10) @ verifier.verify (.../node_modules/njwt/index.js:375:15) @ object.jwtlib.verify (.../node_modules/njwt/index.js:457:21) @ repl:1:6 @ replserver.self.eval (repl.js:110:21) @ repl.js:249:20 @ replserver.self.eval (repl.js:122:7) @ interface.<anonymous> (repl.js:239:12) so thought maybe need pass in secretkey.n instead of secretkey so:
njwt.verify(idtoken, secretkey.n, 'rs256', function(err, verifiedjwt) { if (err) { console.log(err); } else { console.log('verified'); } }); when try way get:
139980866705216:error:0906d06c:pem routines:pem_read_bio:no start line:pem_lib.c:696:expecting: certificate followed console.log(err);:
{ [jwtparseerror: signature verification failed] name: 'jwtparseerror', usermessage: 'signature verification failed', message: 'signature verification failed', jwtstring: 'abcdefg...', parsedheader: { typ: 'jwt', alg: 'rs256', kid: '...' }, parsedbody: { sub: 'abcd...', aud: 'abcdefg...', email_verified: true, token_use: 'id', auth_time: 1491491773, iss: 'https://cognito-idp.us-east-1.amazonaws.com/us-east-...', 'cognito:username': 'username', exp: 1491495373, iat: 1491491773, email: 'user@email.com' }, innererror: undefined } how should passing in secretkey? should secretkey , should like? quite honest i'm not sure njwt.verify expecting.
it looks issue njwt.verify expecting public rsa key. had convert jwk set object public rsa key. did using jwk-to-pem node module.
given same secretkey question:
var jwktopem = require('jwk-to-pem'); var pem = jwktopem(secretkey); njwt.verify(idtoken, pem, 'rs256', function(err, verifiedjwt) { if (err) { console.log(err); } else { console.log('verified'); } }); success!
Comments
Post a Comment