jwt-verify 0.1.0

# JWT Verify Examples

Examples demonstrating **JWT verification** for **AWS Cognito** and **OIDC-compatible** identity providers.

## Quick Start

1. Copy the example environment file:

   ```bash
   cp .env.example .env
   ```

2. Edit `.env` with your configuration:

   ```bash
   # For Cognito
   AWS_REGION=us-east-1
   COGNITO_USER_POOL_ID=us-east-1_example
   COGNITO_CLIENT_ID=your-client-id
   COGNITO_ID_TOKEN=your-id-token
   COGNITO_ACCESS_TOKEN=your-access-token
   ```

3. Run the examples:
   ```bash
   cargo run --example cognito_basic
   cargo run --example oidc_basic
   ```

## Examples Overview

### `cognito_basic.rs`

Demonstrates AWS Cognito JWT verification:

- ✅ Single user pool with single client ID
- ✅ Multiple user pools with different client IDs
- ✅ Single user pool with multiple client IDs (web/mobile apps)
- ✅ Negative test cases (wrong token types, expired tokens, malformed tokens)
- ✅ JWK prefetching (hydration)

### `oidc_basic.rs`

Demonstrates OIDC JWT verification:

- ✅ Single provider with single client ID
- ✅ Multiple providers with different client IDs
- ✅ Single provider with multiple client IDs
- ✅ Negative test cases
- ✅ JWK prefetching (hydration)

## Configuration Reference

### AWS Cognito

| Variable               | Description                  | Example                 |
| ---------------------- | ---------------------------- | ----------------------- |
| `AWS_REGION`           | AWS region of your user pool | `us-east-1`             |
| `COGNITO_USER_POOL_ID` | Cognito user pool ID         | `us-east-1_example`     |
| `COGNITO_CLIENT_ID`    | Client ID (web app)          | `your-client-id`        |
| `COGNITO_CLIENT_ID_2`  | Client ID (mobile app)       | `your-mobile-client-id` |
| `COGNITO_ID_TOKEN`     | ID token for testing         | `eyJraWQ...`            |
| `COGNITO_ACCESS_TOKEN` | Access token for testing     | `eyJraWQ...`            |

**Multiple user pools:**

```bash
# Second user pool
AWS_REGION_2=us-west-2
COGNITO_USER_POOL_ID_2=us-west-2_example2
COGNITO_CLIENT_ID_2=client2
```

### OIDC Providers

| Variable            | Description              | Example                                              |
| ------------------- | ------------------------ | ---------------------------------------------------- |
| `OIDC_ISSUER`       | Provider issuer URL      | `https://accounts.example.com`                       |
| `OIDC_JWKS_URL`     | JWKS URL (optional)      | `https://accounts.example.com/.well-known/jwks.json` |
| `OIDC_CLIENT_ID`    | Client ID                | `your-client-id`                                     |
| `OIDC_ID_TOKEN`     | ID token for testing     | `eyJraWQ...`                                         |
| `OIDC_ACCESS_TOKEN` | Access token for testing | `eyJraWQ...`                                         |

**Multiple providers:**

```bash
# Second provider
OIDC_ISSUER_2=https://auth.example2.com
OIDC_JWKS_URL_2=https://auth.example2.com/.well-known/jwks.json
OIDC_CLIENT_ID_2=client2
```

### Using Cognito as OIDC Provider

AWS Cognito can be used with the OIDC verifier:

```bash
OIDC_ISSUER=https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example
OIDC_JWKS_URL=https://cognito-idp.us-east-1.amazonaws.com/us-east-1_example/.well-known/jwks.json
OIDC_CLIENT_ID=your-client-id
```

## Getting Test Tokens

### AWS Cognito

Using AWS CLI:

```bash
aws cognito-idp admin-initiate-auth \
  --user-pool-id us-east-1_example \
  --client-id your-client-id \
  --auth-flow ADMIN_USER_PASSWORD_AUTH \
  --auth-parameters USERNAME=user@example.com,PASSWORD=YourPassword123
```

Or use AWS Amplify in your application and extract tokens from the authentication response.

### OIDC Providers

Most OIDC providers offer:

- Developer consoles with token generation tools
- OAuth 2.0 authorization code flow
- Test clients for development

Check your provider's documentation for specific instructions.