AWS Cognito. How to decode JWT in Python

Asked 16/4, 2019 at 7:51 Answered 30/4, 2024 at 14:11

I want to authenticate users using Cognito Identity provider (Facebook) in Django application. When user signs-in, he is redirected to home page with access_token and id_token. These are JWT tokens. I need to decode them to get information about user. How to achieve it?

I tried using jwt library. Many resources say that I need PUBLIC_KEY converted to PEM format to decode these tokens. I visited: https://cognito-idp.{aws-region}.amazonaws.com/{user-pool-id}/.well-known/jwks.json and got dictionary:

{
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "cKgEILaVv5nXrJNBtfdaEVfA9Sn+GNdMpXbO58Li+eLyiA=",
      "kty": "RSA",
      "n": "kpE2A8GfBoDiLcnHme9WLSIMezPAXg8ibZ8hIa4GvmJAT1LmR9CDN0Yt-JlKE_gH73HbldpgqCbflygbcZtdn1RMdfafdafaQq3sOY0RJqC8-jdZTWb0Cbw2E-fmmOtgHqz11ZlbqaZYpcRYvyNwuWQs05kikzaUudwp05TTd4N0VznbMMm9peu_Ghw7nqlgkvU8WWO6tD_LzF8VDTroKdGAnrh3kwRVY8le5JwzoGMDVbNtOQFwla8yyxNfRRFQVkcnOxb14BhrO3N8ZsI-E9eB9ZbUNt27DxAMjxsNzERSUx3gm7zq-d2SYyZ31P_FNxOTS0RlKPN69Jlscack7ghM_nZdnw",
      "use": "sig"
    },
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "wMYp8SsLhXBtE2wbYK1hQfdafadfadeiYkDYXctg1GkdmTTFs+I=",
      "kty": "RSA",
      "n": "i_W1pexAB1FhY3oJ0jEGeks1b8jCFZOWU7PAvzi3kdeP7JR2IP91W8FV9ou6gT1dn6F8ZbDvJEF9PNJkmQxwvHkoeYzgaOhNFXBU5Jfv20rQfdafa56PufchgtGndaI22TnnPDg_L5UElaljJvmzTcDTk0xHqJRxhw2LAqembfij5TV_8mSHpqIbWvppOTqT7s3zI7DdfDLDOX7CHFRht3uesX5drVo-S9IsJCJ2l3rCChTCy8e32YY68iHH40t5vVPkuqr1ffMfKYkyXC3urliCawRKnrk62ngAskjRiAihmIl8E79_Ddfn5O5RYqLY71Q4T6Epep4C1ygjlBrToFd8Haw",
      "use": "sig"
    }
  ]
}

I don't know what to grab from here.

Ternopol answered 16/4, 2019 at 7:51 Comment(5)

you don't need any key to DECODE a JWT. A JWT consists of 3 base64url encoded parts, header, payload and signature. You can just decode the payload with any base64url decoder. You would need the public key only to VERIFY the signature. Try to decode your token on jwt.io – Mckeown 16/4, 2019 at 7:58

I guess this is your solution? #38120121 – Revolute 16/4, 2019 at 8:9

@Mckeown Can you help me. I encountered another problem: ``` from base64 import b64decode header, payload, signauture = id_token.split(".") payload_string = b64decode(payload) ``` I'm getting Incorrect Padding Error. If I put the id_token on jwt.io I'm able to see my credentials, so it's not id_token fault. Thanks in advance. – Ternopol 17/4, 2019 at 6:44

maybe that helps: #6102811 – Mckeown 17/4, 2019 at 7:14

I used pyjwkest library instead of base64, and decoded payload without a problem. Thanks once again for helping. – Ternopol 17/4, 2019 at 7:58

Using the PyJWT library, you can decode a JWT token via:

import jwt

encoded = token  # replace this with your encoded token
jwt.decode(encoded, algorithms=["RS256"], options={"verify_signature": False})

The options configuration will tell the PyJWT library to ignore the public-key aspect of the verification process, and decode the Base64 key regardless.

note – the algorithm is hardcoded as RS256, per the AWS Cognito standard, but you can choose to leave that argument out if you wish (PyJWT will figure it out).

To decode and verify the JWT, you can utilize the borisrozumnuk/cognitojwt library:

from cognitojwt import jwt_sync

jwt_sync.decode(token)

If you want to avoid 3rd-party libraries, you manually install the AWSLabs aws-support-tools 'decode-verify-jwt' module:

from decode-verify-jwt import lambda_handler as decode_verify_jwt

decode_verify_jwt({'token': token}, None)

Bernetta answered 19/10, 2022 at 17:46 Comment(0)

-1

The answer given above is outdated so adding the new code if your are using jwt for decoding it

from jwt import JWT
from jwt.exceptions import JWTDecodeError

def decode_token(token:str):
   try:
      jwt_ = JWT()
      return jwt_.decode(token, algorithms=['RS256'],do_verify=False)
   except JWTDecodeError as e:
      print('token expired')

Ventriloquize answered 30/4, 2024 at 14:11 Comment(0)

Recommended topics

Hot tags