如何在API后端从AWS Cognito验证JWT? [英] How to verify JWT from AWS Cognito in the API backend?
问题描述
我正在构建一个由Angular2单页应用程序和在ECS上运行的REST API组成的系统.该API在.Net/ Nancy 上运行,但这可能会发生变化.
I'm building a system consisting of an Angular2 single page app and a REST API running on ECS. The API runs on .Net/Nancy, but that might well change.
我想尝试一下Cognito,这就是我想象的身份验证工作流程:
I would like to give Cognito a try and this is how I imagined the authentication workflow:
- SPA登录用户并收到JWT
- SPA随每个请求将JWT发送到REST API
- REST API证明JWT是真实的
我的问题与步骤3有关.我的服务器(或更确切地说:我的无状态,自动缩放,负载平衡的Docker容器)如何验证令牌的真实性?尚未发布JWT本身,它无法使用自己的秘密(如基本JWT示例此处).
My question is about step 3. How can my server (or rather: my stateless, auto-scaled, load-balanced Docker containers) verify that the token is authentic? Since the "server" hasn't issued the JWT itself, it can't use its own secret (as described in the basic JWT example here).
我已经阅读了Cognito文档并在Google上进行了很多搜索,但是在服务器端如何处理JWT方面我找不到很好的指南.
I have read through the Cognito docs and googled a lot, but I can't find any good guideline about what to do with the JWT on the server side.
推荐答案
结果是我没有正确阅读文档. 此处(向下滚动至在Web API中使用ID令牌和访问令牌").
Turns out I didn't read the docs right. It's explained here (scroll down to "Using ID Tokens and Access Tokens in your Web APIs").
API服务可以下载Cognito的机密,并使用它们来验证收到的JWT的机密.完美.
The API service can download Cognito's secrets and use them to verify received JWT's. Perfect.
修改
@Groady的评论很重要:但是如何您如何验证令牌?我会说使用经过 jose4j 或
@Groady's comment is on point: but how do you validate the tokens? I'd say use a battle-tested library like jose4j or nimbus (both Java) for that and don't implement the verification from scratch yourself.
此处是使用Spring Boot的示例实现当我最近不得不在java/dropwizard服务中实现此功能时,让我起步的灵气.
Here's an example implementation for Spring Boot using nimbus that got me started when I recently had to implement this in java/dropwizard service.
这篇关于如何在API后端从AWS Cognito验证JWT?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
