A JWT (JSON Web Token) is composed of three parts:
To validate a JWT issued by AWS Cognito, you first need to download the JSON Web Key Set (JWKS), which contains the public keys used to verify the token’s signature. You can obtain the JWKS from the following URL:
https://cognito-idp.<Region>.amazonaws.com/<userPoolId>/.well-known/jwks.jsonTo simplify the process of verifying a JWT, you can use the jwx library, which handles the token parsing and validation.
A JWK cache helps you avoid repeatedly downloading the keys for each token validation. Here’s how to refresh the cache with the public keys:
_, err := c.jwkCache.Refresh(ctx, c.publicKeysURL)
if err != nil {
fmt.Printf("Failed to fetch AWS JWKS: %s\n", err)
return false
}Once you have the JWKS, you can parse the token using the cached keys. This ensures the token’s signature is valid:
token, err := jwt.Parse(rawToken, jwt.WithKeySet(keyset), jwt.WithValidate(true))
if err != nil {
c.logger.Error("Failed to parse token", zap.Error(err))
return err
}After parsing the token, you need to verify the claims it contains. Start by checking the client_id claim to ensure the token was issued for the correct client:
clientID, _ := token.Get("client_id")
if clientID != "client_id" {
return errors.New("Invalid access token")
}Next, confirm the iss (issuer) claim to ensure the token was issued by your Cognito user pool:
iss, _ := token.Get("iss")
if iss != "https://cognito-idp.<Region>.amazonaws.com/<userPoolId>" {
return errors.New("Invalid access token")
}You can securely validate JWT tokens issued by AWS Cognito using the jwx library. This ensures the token’s signature and claims are valid before granting access to your protected resources.