jsonwebtokens-cognito 0.1.0-alpha.6

Decodes and verifies Json Web Tokens issued by AWS Cognito
Documentation

A Rust library for verifying Json Web Tokens issued by AWS Cognito

Install

jsonwebtokens-cognito = { git = "https://github.com/rib/jsonwebtokens-cognito" }

Note: Until reqwest gets a 0.10 release it's recommended to depend on git master because the latest reqwest release depends on numerous pre-release crate versions for things like tokio and hyper which are very likely to cause conflicts

Usage

let keyset = KeySet::new("eu-west-1", "my-user-pool-id")?;
let verifier = keyset.new_id_token_verifier(&["client-id-0", "client-id-1"])
    .claim_equals("custom_claim0", "value")
    .claim_equals("custom_claim1", "value")
    .build()?;

let claims = keyset.verify(token, &verifier).await?;

This library builds on top of jsonwebtokens token verifiers.

The keyset will fetch from the appropriate .jwks url when verifying the first token or, alternatively the cache can be primed by calling keyset.prefetch_jwks():

let keyset = KeySet::new("eu-west-1", "my-user-pool-id")?;
keyset.prefetch_jwks().await?;

If you need to perform token verification in a non-async context, or don't wan't to allow network I/O while verifying tokens then if you have explicitly prefetched the jwks key set you can verify tokens with try_verify:

let keyset = KeySet::new("eu-west-1", "my-user-pool-id")?;
keyset.prefetch_jwks().await?;
let verifier = keyset.new_id_token_verifier(&["client-id-0", "client-id-1"])
    .claim_equals("custom_claim0", "value")
    .claim_equals("custom_claim1", "value")
    .build()?;

let claims = keyset.try_verify(token, verifier).await?;

try_verify() will return a CacheMiss error if the required key has not been prefetched

A Keyset is Send safe so it can be used for authentication within a multi-threaded server.

Examples:

Verify an AWS Cognito Access token

let keyset = KeySet::new(AWS_REGION, AWS_POOL_ID)?;
let verifier = keyset.new_access_token_verifier(&[AWS_CLIENT_ID]).build()?;

keyset.verify(&token_str, &verifier).await?;

Verify an AWS Cognito Identity token

let keyset = KeySet::new(AWS_REGION, AWS_POOL_ID)?;
let verifier = keyset.new_id_token_verifier(&[AWS_CLIENT_ID]).build()?;

keyset.verify(&token_str, &verifier).await?;

Verify an AWS Cognito Access token with custom claims

let keyset = KeySet::new(AWS_REGION, AWS_POOL_ID)?;
let verifier = keyset.new_access_token_verifier(&[AWS_CLIENT_ID])
    .claim_equals("my_claim", "foo")
    .build()?;

keyset.verify(&token_str, &verifier).await?;

See jsonwebtokens for more examples of how to verify custom claims.