Back

Explore Courses Blog Tutorials Interview Questions
0 votes
1 view
in AWS by (19.1k points)

I'm building a system consisting of an Angular2 single page app and a REST API running on ECS. The API runs on .Net/Nancy, but that might well change.

I would like to give Cognito a try and this is how I imagined the authentication workflow:

  1. SPA signs in user and receives a JWT
  2. SPA sends JWT to REST API with every request
  3. REST API verifies that the JWT is authentic

My question is about step 3. How can my server (or rather: my stateless, auto-scaled, load-balanced Docker containers) verify that the token is authentic? Since the "server" hasn't issued the JWT itself, it can't use its own secret.

I have read through the Cognito docs and googled a lot, but I can't find any good guideline about what to do with the JWT on the server side.

1 Answer

0 votes
by (44.3k points)

All the required information is provided in this documentation under using the ID tokens and Using the access tokens - https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html

Basically, the API service will be able to download Cognito’s secrets and then use them to verify the received JWT’s.

But how to validate the tokens? We can use a battle-tested library like nimbus or jose4j and also do not implement the verification from scratch. Get some help from existing implementations.

Related questions

Want to get 50% Hike on your Salary?

Learn how we helped 50,000+ professionals like you !

Welcome to Intellipaat Community. Get your technical queries answered by top developers!

28.4k questions

29.7k answers

500 comments

94.1k users

Browse Categories

...