Closed jamesrusso closed 1 month ago
Thanks @jamesrusso for the inputs. This is very specially intended for AWS Cognito. The token issued by AWS Cognito is JWT-compliant. The JWT token can work with generic certificates however, custom certificates would not work well with this library.
Have you tried tymondesigns/jwt-auth? This is based on JWT-based authentication.
We use Auth0 and Okta in other projects and plan to develop a separate library soon.
@jamesrusso Can you share what you have written, so that we understand the requirement better?
The library you mention is for generating and validating JWT tokens generated itself (hence you define your own JET secret). A better reference would be https://github.com/benbjurstrom/cognito-jwt-guard. I cannot use this one due to some version dependencies, but perhaps I should just fork and update it.
I'm looking for a guard which would validate a token against the public key of the issuer. In then cognito example it would download the key from https://cognito-idp.
If I understand this library correctly it doesn't verify verify the token it simply stores it in the session. There isn't a need to verify it since it is obtained from the cognito API. However, if it is instead obtained 100% on the browser side of things, then this library doesn't work for me.
It's my opinion that an API implementation with a bearer token should be competent stateless and not require a session.
Our project is a SPA with api.
This library gets and token from Cognito and authorizes it with Cognito every time using the AWS SDK. Just the token TTL is managed outside of the Cognito based on the expiry time.
We have a plan to use the Cognito certificates to read the token and use the sub as the key identifier. There is an open issue for the same.
Is your feature request related to a problem? Please describe. When using Laravel for just and API we cannot use the hosted cognito login screen. Since the guard only checks for tokens it generates and does not actually verify or validate the JWT token itself.
Describe the solution you'd like An additional guard which validates the access token and verifies its signature against the public key available at the well known URL. You could then cache the well known certificate for a period of time and even cache the access token for a period of time to prevent the crypto operations every request.
Describe alternatives you've considered We have considered using this for our registration component to create the users and then writing our own Guard for the validation, but I think this fits in this package.
An alternative would be to use Auth0 or Okta which provide libraries for this very purpose.