search

aws-amplify / amplify-flutter

A declarative library with an easy-to-use interface for building Flutter applications on AWS.
https://docs.amplify.aws
Apache License 2.0
1.31k stars 242 forks source link

Signature of re-encoded JWT tokens have an invalid signature #5392

Open mevansam opened 2 weeks ago

mevansam commented 2 weeks ago

Description

The encoded JWT tokens provided via a valid Amplify Cognito SDK Session instance contain an invalid signature.

Categories

Steps to Reproduce

After login via the Flutter Amplify Cognito plugin JWT tokens are retrieved from the session and passed to upstream APIs in Authorization headers. The following steps were followed:

1) Fetched the token from the logged in session.

final result = await _cognitoPlugin.fetchAuthSession();
final accessToken = result.userPoolTokensResult.value.accessToken;
final encodedToken = accessToken.encode();

2) The encodedToken is then passed to APIs in the Authorization HTTP header.

After investigation, it was determined that the raw token extracted as follows was valid.

final tokens = await _cognitoPlugin.stateMachine.getUserPoolTokens();
final encodedToken = tokens.accessToken.raw;

The issue appears to be that the message part of the JWT token is deserialized and then serialized when re-encoding with the keys in ascending order which is different from the original token issued by the Cognito iDP. This results in the original signature becoming invalid.

Screenshots

No response

Platforms

Flutter Version

3.24.0

Amplify Flutter Version

2.4.0

Deployment Method

Custom Pipeline

Schema

N/A
Jordan-Nelson commented 2 weeks ago

@mevansam Thanks for opening the issue. We will attempt to reproduce this.

NikaHsn commented 1 week ago

@mevansam you can use 

final result = await _cognitoPlugin.fetchAuthSession();
final accessToken = result.userPoolTokensResult.value.accessToken.raw;

this is the encoded JWT string that you can use for authorization header.