Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

where can I find the secret key for the JWT from cognito

Tags:

amazon-web-services

amazon-cognito

aws-cognito

I am trying out the log in function for the Cognito User Pool for my Web App. I was able to obtain the Token but I am not sure where to find the secret to decode it. I've read in one of the post that the secret is the secret Id for the App in the User Pool. However, for Javascript SDK, the secret id is blank. Does this mean my secret should also be blank? I tried this but I got a message that says "Error: PEM_read_bio_PUBKEY failed".

like image 737
leo c Avatar asked Jun 30 '16 09:06

leo c

3 Answers

Just want to summarize this topic with the snippet of code:

const jwkToPem = require('jwk-to-pem');
const requestify = require('requestify');

/**
 * Get cognito's secret key
 * @param {String} region
 * @param {String} userPoolId
 * @returns {Promise}
 */
function getPem(region, userPoolId) {
  const jwkUrl = `https://cognito-idp.${region}.amazonaws.com/${userPoolId}/.well-known/jwks.json`;

  return requestify.request(jwkUrl, { method: 'get', dataType: 'json'})
    .then(res => res.getBody()['keys'].shift())
    .then(jwk => jwkToPem(jwk))
  ;
}
like image 35
D.Dimitrioglo Avatar answered Nov 09 '22 17:11

D.Dimitrioglo

To correct the other answer: RS256 is an asymmetric algorithm and requires a public and a private key. Also see RS256 vs HS256: What's the difference? and https://en.wikipedia.org/wiki/RSA_(cryptosystem).

What is correct is that for verifying the JWT you do not need the private key that was used to sign it, only the public key made available by AWS under https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json.

like image 130
B M Avatar answered Nov 09 '22 17:11

B M

AWS uses RS256 algorithm which does not require secret but public key to decode.

Here you will find JWKS of your pool: https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json (See http://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-identity-user-pools-using-id-and-access-tokens-in-web-api)

And here is described process of transforming JWK to the public key: https://mobile.awsblog.com/post/Tx3JK25U7Z9EUIU/Integrating-Amazon-Cognito-User-Pools-with-API-Gateway (under section "Understanding the code").

like image 3
JakubM Avatar answered Nov 09 '22 16:11

JakubM
Sign in to Comment

Related questions

How to programmatically/remotely execute a program in EC2 Windows instance
Restore password for FORCE_CHANGE_PASSWORD status
How to update container image in AWS Fargate
Is it possible to duplicate an AWS EC2 instance without any downtime?
How to tell cloudfront to not cache 302 responses from S3 redirects, or, how else to workaround this image caching generation issue
How to use Boto3 pagination
Cognito logout does not work as documented
RDS endpoint name format
AWS ssh access 'port 22: Operation timed out' issue
Stop and Start Elastic Beanstalk Services
Which user launched EC2 instance?
What are the default security groups created when I set up AWS EB for the first time?
How do I use Boto3 to launch an EC2 instance with an IAM role?
Why can't the pg gem be installed in AWS Elastic Beanstalk?
AWS Application Load Balancer transforms all headers to lower case
In Mechanical Turk, how do you limit to one HIT per worker
AWS - How my single EC2 micro instance can cross 750 hour limit?
API retry logic in Amazon Web Services
Trying to pass parameters from Master to child template
AWS push notification service integration error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!