Unable to accept Cognito Access Tokens

labd / django-cognito-jwt

An Authentication backend for Django Rest Framework for AWS Cognito JWT tokens

MIT License

179 stars 59 forks source link

Unable to accept Cognito Access Tokens #22

Open xavfernandez opened 5 years ago

xavfernandez commented 5 years ago

Cognito access tokens are lacking the aud field (cf https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token) making their decoding impossible/invalid with this library since the audience is provided & expected at the decoding step: https://github.com/labd/django-cognito-jwt/blob/master/src/django_cognito_jwt/validator.py#L64.

Would you be willing to accept a PR making the audience optional ?

martinzugnoni commented 4 years ago

Same happening to me. Authentication works by providing the IdToken, but it doesn't using the normal AccessToken. I would rather use AccessToken because the IdToken contains some sensitive user data (like email, etc) that I would prefer not to send around in a token.

danni commented 3 years ago

Just a note: the module will accept the access token is the COGNITO_AUDIENCE setting is set to None.