search

awslabs / aws-jwt-verify

JS library for verifying JWTs signed by Amazon Cognito, and any OIDC-compatible IDP that signs JWTs with RS256, RS384, and RS512
Apache License 2.0
606 stars 42 forks source link

[QUESTION] Can not verify Refresh Token #59

Closed wzhonggo closed 2 years ago

wzhonggo commented 2 years ago

Question Can not verify Refresh Token.

Error mesage : JwtParseError: JWT string does not consist of exactly 3 parts (header, payload, signature).

I want to get refresh token payload, but it decode error. The tokenUser has type id and access. Is this lib only support decode access token and id token.

Test code

import { CognitoJwtVerifier } from "aws-jwt-verify";
try {
    // decode refresh token
    const verifier = CognitoJwtVerifier.create({
        userPoolId: "USER_POOL_ID",
        // tokenUse: 'id',
        tokenUse: null,
        clientId: "CLIENT_ID",
    });
    const payload = await verifier.verify(
        "refresh-token"
    );
    console.log("Token is valid. Payload:", payload);
} catch(e) {
    console.log(e);
    console.log("Token not valid!");
}

Versions Which version of aws-jwt-verify are you using? 2.1.3 Which version of Node.js are you using? (Should be at least 14) v16.13.0 If using TypeScript, which version of TypeScript are you using? (Should be at least 4) not use TypeScript

ottokruse commented 2 years ago

Hi @wzhonggo ! Cognito Refresh Tokens are in fact encrypted JWTs and nobody can decode or verify them except the Cognito service itself. The only way to know if a Cognito refresh token "is valid" is by actually using it against the Cognito APIs (e.g. by doing an InitiateAuth with REFRESH_TOKEN_AUTH)

ottokruse commented 2 years ago

What's your use case, that you'd want to verify a Cognito refresh token?

wzhonggo commented 2 years ago

@ottokruse I use Ampfliy js with 127.0.0.1 and a random port in browser with a desktop application. I hope user can auto login in borwser after first time login. The Amplify js save refresh token, id token, access token and other in localStorage, but port will change after next time relaunch app, so the token which save in localStorage is lost, user need login again . Now I save the refresh token to file after user login and pass refresh token to browser when next time launch app. But Ampfliy js not api to accept refresh token, it need manua do this, see https://github.com/aws-amplify/amplify-js/issues/5198. You must set CognitoIdentityServiceProvider.${APP_CLIENT_ID}.LastAuthUser , CognitoIdentityServiceProvider.${APP_CLIENT_ID}.${LastAuthUser}.refreshToken and CognitoIdentityServiceProvider.${APP_CLIENT_ID}.${LastAuthUser}.idToken(any not empty string) if want Amplify restore user. But now only has refresh token, so i find this lib can decode access token and id token. I hope can decode refresh token and get username, but in fact it is not possible. Now i use a new way to get username by refresh token, see https://docs.aws.amazon.com/zh_cn/cognito-user-identity-pools/latest/APIReference/API_InitiateAuth.html.

Thanks