I am trying out the log in function for the Cognito User Pool for my Web App. I was able to obtain the Token but I am not sure where to find the secret to decode it. I've read in one of the post that the secret is the secret Id for the App in the User Pool. However, for Javascript SDK, the secret id is blank. Does this mean my secret should also be blank? I tried this but I got a message that says "Error: PEM_read_bio_PUBKEY failed".
Just want to summarize this topic with the snippet of code:
const jwkToPem = require('jwk-to-pem');
const requestify = require('requestify');
/**
* Get cognito's secret key
* @param {String} region
* @param {String} userPoolId
* @returns {Promise}
*/
function getPem(region, userPoolId) {
const jwkUrl = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;
return requestify.request(jwkUrl, { method: 'get', dataType: 'json'})
.then(res => res.getBody()['keys'].shift())
.then(jwk => jwkToPem(jwk))
;
}
To correct the other answer: RS256 is an asymmetric algorithm and requires a public and a private key. Also see RS256 vs HS256: What's the difference? and https://en.wikipedia.org/wiki/RSA_(cryptosystem).
What is correct is that for verifying the JWT you do not need the private key that was used to sign it, only the public key made available by AWS under https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
.
AWS uses RS256 algorithm which does not require secret but public key to decode.
Here you will find JWKS of your pool: https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json
(See http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity-user-pools-using-id-and-access-tokens-in-web-api)
And here is described process of transforming JWK to the public key: https://mobile.awsblog.com/post/Tx3JK25U7Z9EUIU/Integrating-Amazon-Cognito-User-Pools-with-API-Gateway (under section "Understanding the code").
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With