Decoding an AWS Session Token

Asked 27/9, 2019 at 20:9 Answered 2/10, 2019 at 4:30

amazon-web-services sts-securitytokenservice

We are using AWS Cognito Federated Identities to obtain a Session Token from the AWS Security Token Service, then leverage for securing our APIs via API Gateway. This is working well.

But within our web service, we sometimes must obtain the issuer and subject from the JWT token used to derive the Session Token. For this, we are exploring AWSSecurityTokenServiceClient.

But my question is whether it's possible to simply decode the Session Token without invoking the Security Token Service for every API call. Thoughts?

Goodhen answered 27/9, 2019 at 20:9 Comment(5)

the JWT token located in the cookie, if you can get the cookie, you can either decode the JWT token. I hope i get you, if I missed the point, please share with us some more information. – Qp 28/9, 2019 at 10:13

Thanks for your response, but I'm referring to a REST API sent through the AWS API Gateway to a back-end server. The API Gateway examines the IAM roles specified in the Session Token, and either denies or approves the API for passthrough. Once in our back-end microservice, we need to further examine the Session Token for the Issuer and Subject. In other words, there is no cookie. – Goodhen 28/9, 2019 at 17:15

@RandyLeonard, did you ever figure this out? – Alexi 22/3, 2021 at 15:39

Unfortunately not – Goodhen 3/8, 2021 at 6:8

I find this extraordinary. A format used by millions of people every day, but nobody has reverse-engineered it... that I can find. There's clearly some kind of structure in there, after base64 decode, I see a region, and the 12-digit account number the token relates to. – Katelyn 11/1 at 23:27

Here is an example of the response provided by AWS Security Token Service, via API Call to Cognito Federated Services:

{"IdentityId":"us-east-2:4628a310-f743-43bb-8808-6123c744c664","Credentials":{"AccessKeyId":"ASIATTD56AWGXWG2GGES","SecretKey":"0TOwO2JMgWQLd6FvVrX5m9UKsDcFfQW3goG3NQ8Z","SessionToken":"AgoJb3JpZ2luX2VjEKH//////////wEaCXVzLWVhc3QtMiJHMEUCIQDDTKUnIQtIcztLVmpTsif9b9rj5yUOiBgfPNN3z16S6gIgUAlRFD8V9bpVokR0sqrtxN/5uPtaLf4vHGPAtUokj/kqpgUIehABGgwyNDcyMjQ3MzEwMjEiDE7afe4LMcTOdqF3niqDBbwZENnBEw3XyIdGz1AEPVY51gZ0KxkC7YgoAxpZVedZZUbIeAiGy+Ez2PtTzsVhO1WPiM5DqwTqb3/iuV2XsTXGf43qpTc2WsYypFUI51scF1J+pSGT58yAayTf5wwPi9I1kFWiBcDpuyemLwI2yfZB8hIuAvdr0MW6a7GVHR93xDfsx0T7aCFqZriUQTOpc9clpkQfygdhf7mHeYdMnD/HthZCh3mllS4I86Zzjr8wIypCqrV0A2OhVVvsLddjF8WF4WS0WhNEEQHoUs/jMkDjnrcvPBIeuU/hE2x+UfECmH5vDs0QarfsHR1HiLVL+EghINNF9eG4CzpVu0FBz8meJhPEJLlQMK9MdZ7ZGgtx7ZzT/7a/azoCpriOK9KganXsMfHbwLqnR96bXEC3ebFYtL638y25KZyn7rL/z5Ise/D5KjihQOuuRoxufgUWKoi6Or0r56bSpLhq7KCd0ZUweoKKvX/9RLF2YU0h+FYV4NRxar93jzKEYX63so/gxCaWWb7gRde/qca3fEZHHh0I26/DflrvWar6HDHu3Ee7aYJB/m5n4u1ko6SRvAdwmQ/hn1ttDgvUSpVq28IyxR4Ic9cBaS81ohRInM7i6NTSGHhpd6ij0l0F1Br8Vtr5UJe96xK7aNir3sspYqrSzd6y1DO6fnZKVaFpWDnWo4/SCdSp3F9bM4Q+GNICaT9Rcvyx1nJgofuqY4gdHdxv1PoIL8KEXz72U8aZ/immlhZ5kNrc/aM5KEJ4weE04mZ4u1t3GmN5xLFd7wqOCPUvrzamiEy4GMtm+kBF5rsa+eVRp+YpN2R6CsUpCqw8EEhE3w6RMV578Ah3sO0nBwXQXNQ7nKQwxoa57AU6tAHGr89nNR/Br3UahFBK5o9mQ297nbWB5C6PqCSShsheXzkJww0OdqMwmZgIfvikqnWNZC5KrfobiSancqCXKIRbuLtWcWT6+F9Q+eJQ50Rj1ctdN18H84cfQZYNjHRQVf7iTTcgfq8oqlJtmEavs8T2rvp3a9gp1QQEwjIHdCUQJRwM8h2RYFvLd6s48/XT9sxQj8OAmq8q/gw6/fOiRPFj9yq/Pw38IusTE0MFFwgAJWgUSAo=","Expiration":"2019-09-27T18:13:42.000Z"}}

Note the SessionToken is fairly lengthy, but does not decode when pasting into https://jwt.io

Goodhen answered 2/10, 2019 at 4:30 Comment(3)

Are you providing any solutions in your answer, or are you just pointing out that the STS SessionToken is not a JWT, and thus can't be decoded? – Alexi 22/3, 2021 at 15:38

Apologies... I have not been successful in decoding a SessionToken. – Goodhen 3/8, 2021 at 6:9

@RandyLeonard, in case you still care, I have discovered that the AWS_SESSION_TOKEN seems to be base64 encoded. For instance, decoding the aws token above, I can see this: "origin_ec us-east-2" in the content. But if there is more information encoded into the token than that, it's likely that there is additional encoding in the result. – Synthesis 24/11, 2021 at 13:31

Yes, JWT token can be decoded without Security Token Service for every API call.

Please copy-paste the JWT token https://jwt.io and you can see the details.

Dillingham answered 1/10, 2019 at 6:50 Comment(2)

Agreed that is doable, but all that shows up are three claims, two of which are timestamps. What we are looking for is the issuer and subject of the original JWT token, which I presume is embedded within the Session Token.... nested tokens, that is. – Goodhen 1/10, 2019 at 15:22

Let me rephrase that... decoding a session token provides just three claims, two of which are timestamps. What we are looking for is the issuer and subject of the original JWT token, which I presume is embedded within the Session Token.... nested tokens, that is. Keep in mind, our services are working only with a Session Token from the Security Token Service, not the JWT token from the Identity Provider. – Goodhen 1/10, 2019 at 15:47

This image has a full payload of what you are looking for, session Token and JWT token. I hope this is what you are looking for.

However, please note that only JWT token will be passed in API gateway.

Dillingham answered 1/10, 2019 at 18:18 Comment(1)

If that is the Session Token created by the AWS Security Token Service, then that is perfect. Especially given it has embedded the Identity and Access tokens. Unfortunately, this is not what I am seeing. I'll provide the full response from the Security Token Service in a separate 'Answer', to illustrate the Session Token from AWS STS does not appear to be a valid JWT token format – Goodhen 2/10, 2019 at 4:26

Recommended topics

Hot tags