I'm building a system consisting of an Angular2 single page app and a REST API running on ECS. The API runs on .Net/Nancy, but that might well change.
I would like to give Cognito a try and this is how I imagined the authentication workflow:
- SPA signs in user and receives a JWT
- SPA sends JWT to REST API with every request
- REST API verifies that the JWT is authentic
My question is about step 3. How can my server (or rather: my stateless, auto-scaled, load-balanced Docker containers) verify that the token is authentic? Since the "server" hasn't issued the JWT itself, it can't use its own secret.
I have read through the Cognito docs and googled a lot, but I can't find any good guideline about what to do with the JWT on the server side.