Closed
Description
So AWS Cognito User Pools went GA today. Working through a lot of the details. In particular the process of verifying the integrity of the Id and Access token types that Cognito returns. Both of these are JWT tokens and can ultimately be verified using ruby-jwt - BUT to do that requires first converting the JWK format that Amazon provides the Cognito public keys for an individual AWS account's UserPool.
Here were the steps I ended up following ...
- Get the public key in JWK form from aws following directions
- Use website to convert to rsa form link
- Save rsa output to pem and chmod 600
- rsa_public = OpenSSL::PKey::RSA.new File.read 'aws1.pem'
decoded_token = JWT.decode token, rsa_public, true, algorithm: 'RS256'
So a couple things -
- If I were to contribute the code could we fit this into jwt directly?
- Ideally I'd just enter the Cognito known jwks.json path or uri and the appropriate key (by kid) would automatically be used. Is this an acceptable extension of jwt or is this seen as too vendor specific? Similar to this
- Is this already in jwt and I just didn't look hard enough?
- It seems like potato salad's jose implementation can accomplish this, but the MPL2 is a bit more complicated than your MIT license, are there other good existing JWK choices?