CognitoJwtVerifier

jwt_verify

Struct CognitoJwtVerifier 

Source 
pub struct CognitoJwtVerifier { /* private fields */ }
Expand description

Cognito JWT verifier

This is the main entry point for the JWT verification library. It manages multiple user pools and provides methods for verifying different types of tokens.

The verifier uses issuer-based provider selection to determine which user pool should verify a given token. This means that tokens must contain a valid issuer claim that matches one of the registered user pools.

§Examples

use jwt_verify::{CognitoJwtVerifier, VerifierConfig};
use std::time::Duration;

// Create configurations for multiple user pools
let config1 = VerifierConfig::new(
    "us-east-1",
    "us-east-1_example1",
    &["client1".to_string()],
    None,
).unwrap();

let config2 = VerifierConfig::new(
    "us-west-2",
    "us-west-2_example2",
    &["client2".to_string()],
    None,
).unwrap();

// Create a verifier with multiple user pools
let verifier = CognitoJwtVerifier::new(vec![config1, config2]).unwrap();

// Verify a token (the issuer in the token will determine which user pool to use)
let token = "..."; // JWT token string
let claims = verifier.verify_id_token(token).await.unwrap();

Implementations§

Source§

impl CognitoJwtVerifier

Source

pub fn new(configs: Vec<VerifierConfig>) -> Result<Self, JwtError>

Create a new verifier with multiple user pool configurations

This constructor takes a vector of VerifierConfig objects, each representing a different Cognito user pool. The verifier will register all these user pools and use them for token verification based on the issuer claim in the tokens.

§Parameters
  • configs - Vector of configurations for different user pools
§Returns

Returns a Result containing the new CognitoJwtVerifier if successful, or a JwtError if any of the configurations are invalid or if there’s an error registering the user pools.

§Examples
use jwt_verify::{CognitoJwtVerifier, VerifierConfig};

// Create configurations for multiple user pools
let config1 = VerifierConfig::new(
    "us-east-1",
    "us-east-1_example1",
    &["client1".to_string()],
    None,
).unwrap();

let config2 = VerifierConfig::new(
    "us-west-2",
    "us-west-2_example2",
    &["client2".to_string()],
    None,
).unwrap();

// Create a verifier with multiple user pools
let verifier = CognitoJwtVerifier::new(vec![config1, config2]).unwrap();
Source

pub fn new_single_pool( region: &str, user_pool_id: &str, client_ids: &[String], ) -> Result<Self, JwtError>

Create a new verifier with a single user pool configuration

This is a convenience constructor that creates a verifier with a single user pool.

§Parameters
  • region - AWS region where the Cognito user pool is located (e.g., “us-east-1”)
  • user_pool_id - Cognito user pool ID in the format “region_poolid”
  • client_ids - List of allowed client IDs for this user pool
§Returns

Returns a Result containing the new CognitoJwtVerifier if successful, or a JwtError if the configuration is invalid or if there’s an error registering the user pool.

§Examples
use jwt_verify::CognitoJwtVerifier;

// Create a verifier with a single user pool
let verifier = CognitoJwtVerifier::new_single_pool(
    "us-east-1",
    "us-east-1_example",
    &["client1".to_string()],
).unwrap();
Source

pub fn add_user_pool( &mut self, id: &str, config: VerifierConfig, ) -> Result<(), JwtError>

Add a user pool with configuration

This method adds a new user pool to the verifier. The user pool is identified by the provided ID, which should be unique among all registered user pools.

§Parameters
  • id - Unique identifier for the user pool
  • config - Configuration for the user pool
§Returns

Returns Ok(()) if the user pool was successfully added, or a JwtError if there was an error registering the user pool.

§Examples
use jwt_verify::{CognitoJwtVerifier, VerifierConfig};

// Create a verifier
let mut verifier = CognitoJwtVerifier::new(vec![]).unwrap();

// Create a configuration for a user pool
let config = VerifierConfig::new(
    "us-east-1",
    "us-east-1_example",
    &["client1".to_string()],
    None,
).unwrap();

// Add the user pool to the verifier
verifier.add_user_pool("my_pool", config).unwrap();
Source

pub fn add_user_pool_with_params( &mut self, id: &str, region: &str, user_pool_id: &str, client_ids: &[String], ) -> Result<(), JwtError>

Add a user pool with region, user pool ID, and client IDs

This is a convenience method that creates a configuration for a user pool and adds it to the verifier.

§Parameters
  • id - Unique identifier for the user pool
  • region - AWS region where the Cognito user pool is located (e.g., “us-east-1”)
  • user_pool_id - Cognito user pool ID in the format “region_poolid”
  • client_ids - List of allowed client IDs for this user pool
§Returns

Returns Ok(()) if the user pool was successfully added, or a JwtError if there was an error creating the configuration or registering the user pool.

§Examples
use jwt_verify::CognitoJwtVerifier;

// Create a verifier
let mut verifier = CognitoJwtVerifier::new(vec![]).unwrap();

// Add a user pool
verifier.add_user_pool_with_params(
    "my_pool",
    "us-east-1",
    "us-east-1_example",
    &["client1".to_string()],
).unwrap();
Source

pub fn get_user_pool_ids(&self) -> Vec<String>

Get the list of registered user pool IDs

This method returns a list of all user pool IDs that have been registered with the verifier.

§Returns

Returns a vector of user pool IDs.

§Examples
use jwt_verify::{CognitoJwtVerifier, VerifierConfig};

// Create a verifier with multiple user pools
let config1 = VerifierConfig::new(
    "us-east-1",
    "us-east-1_example1",
    &["client1".to_string()],
    None,
).unwrap();

let config2 = VerifierConfig::new(
    "us-west-2",
    "us-west-2_example2",
    &["client2".to_string()],
    None,
).unwrap();

let verifier = CognitoJwtVerifier::new(vec![config1, config2]).unwrap();

// Get the list of user pool IDs
let pool_ids = verifier.get_user_pool_ids();
assert_eq!(pool_ids.len(), 2);
Source

pub fn remove_user_pool(&mut self, id: &str) -> Result<(), JwtError>

Remove a user pool

This method removes a user pool from the verifier. The user pool is identified by the provided ID.

§Parameters
  • id - Unique identifier for the user pool to remove
§Returns

Returns Ok(()) if the user pool was successfully removed, or a JwtError if the user pool was not found.

§Examples
use jwt_verify::{CognitoJwtVerifier, VerifierConfig};

// Create a verifier with a user pool
let config = VerifierConfig::new(
    "us-east-1",
    "us-east-1_example",
    &["client1".to_string()],
    None,
).unwrap();

let mut verifier = CognitoJwtVerifier::new(vec![config]).unwrap();

// Remove the user pool
verifier.remove_user_pool("us-east-1_us-east-1_example").unwrap();
Source

pub fn set_error_verbosity(&mut self, verbosity: ErrorVerbosity)

Set the error verbosity level

This method sets the verbosity level for error logging and reporting.

§Parameters
  • verbosity - The error verbosity level
§Examples
use jwt_verify::{CognitoJwtVerifier, VerifierConfig, ErrorVerbosity};

// Create a verifier
let mut verifier = CognitoJwtVerifier::new(vec![]).unwrap();

// Set the error verbosity level
verifier.set_error_verbosity(ErrorVerbosity::Detailed);
Source

pub async fn hydrate(&self) -> Vec<(String, Result<(), JwtError>)>

Prefetch JWKs for all user pools

This method prefetches JWKs for all registered user pools. This can be useful to warm up the cache before handling requests.

§Returns

Returns a vector of tuples containing the user pool ID and the result of the prefetch operation.

§Examples
use jwt_verify::{CognitoJwtVerifier, VerifierConfig};

// Create a verifier with multiple user pools
let config1 = VerifierConfig::new(
    "us-east-1",
    "us-east-1_example1",
    &["client1".to_string()],
    None,
).unwrap();

let config2 = VerifierConfig::new(
    "us-west-2",
    "us-west-2_example2",
    &["client2".to_string()],
    None,
).unwrap();

let verifier = CognitoJwtVerifier::new(vec![config1, config2]).unwrap();

// Prefetch JWKs for all user pools
let results = verifier.hydrate().await;
Source

pub async fn verify<T>(&self, token: &str) -> Result<T, JwtError>
where T: DeserializeOwned + TryFrom<CognitoJwtClaims, Error = JwtError>,

Verify a token with generic type support

This method verifies a JWT token and returns the claims as the specified type. It automatically selects the appropriate user pool based on the issuer claim in the token.

§Parameters
  • token - The JWT token to verify
§Returns

Returns a Result containing the verified claims if successful, or a JwtError if verification fails.

§Examples
use jwt_verify::{CognitoJwtVerifier, CognitoIdTokenClaims};

// Create a verifier
let verifier = CognitoJwtVerifier::new_single_pool(
    "us-east-1",
    "us-east-1_example",
    &["client1".to_string()],
).unwrap();

// Verify a token
let token = "..."; // JWT token string
let claims = verifier.verify::<CognitoIdTokenClaims>(token).await.unwrap();

Trait Implementations§

Source§

impl Debug for CognitoJwtVerifier

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl JwtVerifier for CognitoJwtVerifier

Source§

async fn verify_id_token( &self, token: &str, ) -> Result<Box<dyn IdTokenClaims>, JwtError>

Verify a token with generic type support Read more
Source§

async fn verify_access_token( &self, token: &str, ) -> Result<Box<dyn AccessTokenClaims>, JwtError>

Verify an access token Read more

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> Downcast for T
where T: Any,

Source§

fn into_any(self: Box<T>) -> Box<dyn Any>

Convert Box<dyn Trait> (where Trait: Downcast) to Box<dyn Any>. Box<dyn Any> can then be further downcast into Box<ConcreteType> where ConcreteType implements Trait.
Source§

fn into_any_rc(self: Rc<T>) -> Rc<dyn Any>

Convert Rc<Trait> (where Trait: Downcast) to Rc<Any>. Rc<Any> can then be further downcast into Rc<ConcreteType> where ConcreteType implements Trait.
Source§

fn as_any(&self) -> &(dyn Any + 'static)

Convert &Trait (where Trait: Downcast) to &Any. This is needed since Rust cannot generate &Any’s vtable from &Trait’s.
Source§

fn as_any_mut(&mut self) -> &mut (dyn Any + 'static)

Convert &mut Trait (where Trait: Downcast) to &Any. This is needed since Rust cannot generate &mut Any’s vtable from &mut Trait’s.
Source§

impl<T> DowncastSync for T
where T: Any + Send + Sync,

Source§

fn into_any_arc(self: Arc<T>) -> Arc<dyn Any + Sync + Send>

Convert Arc<Trait> (where Trait: Downcast) to Arc<Any>. Arc<Any> can then be further downcast into Arc<ConcreteType> where ConcreteType implements Trait.
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> PolicyExt for T
where T: ?Sized,

Source§

fn and<P, B, E>(self, other: P) -> And<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow only if self and other return Action::Follow. Read more
Source§

fn or<P, B, E>(self, other: P) -> Or<T, P>
where T: Policy<B, E>, P: Policy<B, E>,

Create a new Policy that returns Action::Follow if either self or other returns Action::Follow. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> ErasedDestructor for T
where T: 'static,