wip: add validation logic for token claims

markomirosavljev / fastapi-cognito

Basic Cognito-Auth library for Python and FastAPI.

MIT License

53 stars 17 forks source link

wip: add validation logic for token claims #18

Closed sansmoraxz closed 5 months ago

sansmoraxz commented 9 months ago

There are missing validations for the token.

For example:

iss
audience
token_use (id or access token)

These are not covered by the dependent cognitojwt which has not been updated for 3 years.

Additionally id tokens have different format than access_token.

Enabling support for both and adding some hooks for custom logic (such as federated logins) would be ideal.

sansmoraxz commented 9 months ago

I would suggest dropping cognitojwt and using jose directly.

WDYT @markomirosavljev?

markomirosavljev commented 9 months ago

Hello, thank you for contribution and proposal for this great features. Currently I don't have enough time to work on this but I hope that i next couple days I will go through changes and review everything.

I would suggest dropping cognitojwt and using jose directly.

WDYT @markomirosavljev?

This would be great since it's not maintained anymore.