Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are Cognito refresh tokens "valid" JSON web tokens?

I have been trying to validate the "refresh token" returned by Amazon Cognito Identity Provider via their boto3 python client. I've been using the validator at https://jwt.io.

When I paste the refresh token into the "encoded" box, it returns a header:

{
  "cty": "JWT",
  "enc": "A256GCM",
  "alg": "RSA-OAEP"
}

but the tool also says "invalid signature" at the bottom.

I'm wondering if this is expected behavior? Are AWS Cognito refresh tokens not valid JWTs?

like image 783
Nicholas Tulach Avatar asked Feb 26 '20 21:02

Nicholas Tulach


1 Answers

Yes, with this header it appears that the refresh token is a valid JWT.

https://jwt.io is not able to parse it because it is limited to signed JWT (JWS - RFC7515) and this one is an encrypted one (JWE - RFC7516).

Contrary to the JWS, the JWE is composed of 5 parts separated by dots. Its header can be parsed, but the payload is encrypted and cannot be read without the private or shared key.

According to the cty header, this token contains another JWT that is certainly a JWS. This nested token allows both of the two worlds: signed and encrypted claims.

like image 76
Spomky-Labs Avatar answered Sep 26 '22 09:09

Spomky-Labs