Validate Cognito tokens in Kong

Assuming Kong environment is set up and operating as expected, this blog helps to Validate Cognito tokens in Kong. 

 JWT token issued by popular identity solutions such as Auth0, Amazon Cognito etc., can be easily Authorized by kong.  Here are the steps to validate JWT token issued by Auth0 in Kong.  In this blog, I am going to focus on how to validate JWT token issued by Amazon Cognito. 

Assuming that Amazon Cognito user pools are set up and operating as expected.  Every successful authentication of a user, Amazon Cognito issues 
  • ID Token
  • Access Token
ID token is represented as a JSON Web Key Token (JWT). The token contains claims about the identity of the authenticated user. For example, it includes claims such as namefamily_namephone_number, etc., For more information about standard claims, see the OpenID Connect specification.

 Extract the public key from Amazon Cognito public endpoint using  

 https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

 Using library convert jwks to pem, save as cognito_public_key.pem

1. Create an endpoint in kong

 curl -i -X POST http://localhost:8001/apis \ --data "name={api}" \ --data "hosts=example.com" \ --data "upstream_url=http://httpbin.org"

 2. Enable it with JWT

 curl -X POST http://localhost:8001/apis/{api}/plugins \ --data "name=jwt" --data "config.claims_to_verify=exp"

3. Create a consumer

 curl -i -X POST http://kong:8001/consumers \ --data "username=<USERNAME>" \ --data "custom_id=<CUSTOM_ID>"

 4. Apply cognito public key to the consumer to validate JWT tokens

 curl -i -X POST http://localhost:8001/consumers/{consumer}/jwt \ -F "algorithm=RS256" \ -F "rsa_public_key=@./cognito_public_key.pem" \ -F "key=https://cognito-idp.{region}.amazonaws.com/{userPoolId}"

5. Finally, test the endpoint 

 curl -i http://localhost:8000 \ -H "Host:example.com" \ -H "Authorization:Bearer <JWT_Token>"
Location: Melbourne VIC, Australia

Comments

Unknown said…
This comment has been removed by the author.
March 17, 2018 at 1:12 PM
Unknown said…
Very useful article Senthil - thanks.

I have one question:
It seems to me that each AWS cognito pool is associated with two different pairs of keys (not sure why, but this KB article alludes to it)
https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/

Now, I understand that a JWT token header contains a key id (kid), so the association with a particular public key is possible, but is this association between key id and public key performed automatically by the kong JWT plugin?

If not, I am not sure how the token signature could be verified.


April 20, 2018 at 7:51 AM
Senthil said…
Hi Steve, thanks for visiting my blog.

Amazon Cognito generates two pairs of RSA keys for each user pool. One of the private keys is used to sign the token. To verify the signature of an Amazon Cognito JWT, first search for the key with a key ID that matches the key ID of the JWT. Then, use libraries to decode the token and verify the signature.

Refer the following for better understanding,
https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/
https://github.com/awslabs/aws-support-tools/tree/master/Cognito/decode-verify-jwt
April 24, 2018 at 5:15 AM
Post a Comment

Popular posts from this blog

Tracing Requests in AWS Serverless Applications

Image
Operating Serverless APIs using Amazon API Gateway, AWS Lambda and Microservices (running in ECS) can be bit challenging if logging is not given any forethought. Best practice is to decide in while designing the application what needs to be logged, how the log messages can be correlated and finally where is it should be sent for aggregation.  Its difficult to reconcile log events for a serverless API sent across multiple layers of application stack using CloudWatch log groups and log streams. Tracking down logs for a specific request or tailing request logs for a specific request can sometimes be a cumbersome experience.  Debugging for a specific issue or Tracing a specific request can be made easy by using the x-amzn-requestid and x-amzn-trace-id that comes for free when using AWS API Gateway. Its easy to leverage these Ids and keep track of your request.   In the following deployment diagram  How to capture the request ID for a particular API request: When the request
Read more

Leveraging AWS Elasticsearch

Image
Recently I had an use case where I had to expose AWS DynamoDB search as an API.  I could have gone with the common approach of using AWS API Gateway integrating with AWS Lambda which runs the search against the  AWS DynamoDB  as   however this approach wouldn't be scalable under load.  Alternative to the above solution would be to use AWS  Elasticsearch Service .  ElasticSearch  is an open source product from Elastic that’s is designed to help us search in a way that is highly available and abstracted from datastore.  AWS  Elasticsearch  Service  is AWS hosted ElasticSearch that takes care of set-up and management of the back end server and provides us with an endpoint that we can get developing with.  AWS Elasticsearch Service makes it easy to deploy, secure, operate, and scale Elasticsearch for log analytics, full text search, application monitoring, and more.  AWS  Elasticsearch Service is a fully managed service that delivers Elasticsearch’s easy-to-use APIs and
Read more