Menu
I have a jwt token that I have retrieved from cognito after my user logs in.
I have a specific api end point in my application and I want only users with a valid jwt to be able to access this end point. I tried looking at various resources on the web but I couldn't understand anything. I am new to the jwt concept.
PS I have a Java application (spring boot ). I would really appreciate if someone would describe in detail the steps that i need to follow to verify my jwt. Please provide the code if possible.
@CrossOrigin
@RequestMapping(value= "/login", method=RequestMethod.POST,consumes="application/json")
@ResponseBody
public String authenticate(@RequestBody SignInDTO signInDetails)
{
//boolean isAuthenticated=false;
CognitoHelper cognitoHelper=new CognitoHelper();
String authResult=cognitoHelper.ValidateUser(signInDetails.getEmailId(), signInDetails.getPassword());
.....
.....
.....
authResult is the jwt that i get from cognito. After this I am completely clueless about what needs to be done.
812
For obtaining claims from JWT, use the verify() method to validate the claims and the signature. Avoid using the decode() method to validate a token, especially if it's coming from a public client.
After a user logs in, an Amazon Cognito user pool returns a JWT. The JWT is a Base64-encoded JSON string that contains information about the user (called claims). Amazon Cognito returns three tokens: the ID token, the access token, and the refresh token.
To authenticate a user, a client application must send a JSON Web Token (JWT) in the authorization header of the HTTP request to your backend API. API Gateway validates the token on behalf of your API, so you don't have to add any code in your API to process the authentication.
There are two ways to verify a token: locally or remotely with Okta. The token is signed with a JSON Web Key (JWK) using the RS256 algorithm. To validate the signature, Okta provides your application with a public key that can be used.
Spring Security 5.1 introduced support for this so it's much easier to implement. See https://docs.spring.io/spring-security/site/docs/current/reference/html/jc.html#oauth2resourceserver
Basically:
https://cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>
120
Use a library like java-jwt (I guess you are using Maven)
<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
<version>3.3.0</version>
</dependency>
Then:
String token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJpc3MiOiJhdXRoMCJ9.AbIJTDMFc7yUa5MhvcP03nJPyCPzZtQcGEp-zWfOkEE";
try {
Algorithm algorithm = Algorithm.HMAC256("secret");
// or
Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer("auth0")
.build(); //Reusable verifier instance
DecodedJWT jwt = verifier.verify(token);
} catch (UnsupportedEncodingException exception){
//UTF-8 encoding not supported
} catch (JWTVerificationException exception){
//Invalid signature/claims
}
You can manually decode a jwt-token here: https://jwt.io
More info about java-jwt here: https://github.com/auth0/java-jwt
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
