Why does my JWT Token' from Amazon Cognito have an invalid signature?

Question

I am working on Amazon cognito. I am trying to decode from https://jwt.io

eyJraWQiOiJRaGF4STZGbXB5Y3Z3dUV5TUZJUk9FTm5MTDJKTiswMzVVak5MNTEycjZvPSIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhYjI0YzExYS1mNjZhLTRjMjktOWVhNy0yMWQwMTc2NmZlN2IiLCJhdWQiOiIxY2ZxNjJubjNlZmNpdWFpYnFldmlxbHU4OSIsInRva2VuX3VzZSI6ImlkIiwiYXV0aF90aW1lIjoxNDk0Njg1MjQwLCJpc3MiOiJodHRwczpcL1wvY29nbml0by1pZHAudXMtZWFzdC0xLmFtYXpvbmF3cy5jb21cL3VzLWVhc3QtMV9oM3F4WGVPQzQiLCJjb2duaXRvOnVzZXJuYW1lIjoidGVzdHNhbmRlZXAxIiwiZXhwIjoxNDk0Njg4ODQwLCJpYXQiOjE0OTQ2ODUyNDAsImVtYWlsIjoic2FuZGVlcC5qYWtrYXJhanVAZm9jYWxjeG0uY29tIn0.ZRsYZZwxUnqL4FfuWhD-w8xQWoQQkuj4rYCYPqQehcq1SMe0Vww2GIY4-sr9RgwjVxhOo4WqIQT8LzSn_tFBF504h5xGpp5fD37rIJZ49rC3naH7tC0nHwKSswi6C6x8BlIPi4QAnlP49SZMoIEPEnQig9F6wzlDfb-cjw0R2q61Em-e0cpBM8lbjxCrgBF2-PbXFqwEfncEUkwb93qZHo4Wk3pYH3d-9aXzZg6Xc4CNZfehAUZ7qknq2qtaSI3tH-EXGYmytjoVwcF5jIvej2OATrQf_JbfBNSxC96oA_CglWVKvp2rPrqlZzDCd0Se68TjZvKSbW7XtKX_DzI5ww

It says the signature invalid. I have tried many tokens I am always getting this.

Why does it report that the signature is invalid?

Answer 1

@jps is correct. You need to download the JWKs for your Cognito User Pool before you can verify the signature of the JWT.

1. Download your Cognito User Pools JWK file: https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json. This for your User Pool is: https://cognito-idp.us-east-1.amazonaws.com/us-east-1_h3qxXeOC4/.well-known/jwks.json
2. Find your Identities kid value. The value from the token you provided is: "QhaxI6FmpycvwuEyMFIROENnLL2JN+035UjNL512r6o=".
3. You then need to generate the Public Key that matches the data provided from the JWKs file, that matches your kid key. This is blogged about here: https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/ (look further down the blog post for how to generate the Public Key).