Python and Flask for authentication with Amazon Cognito

Question

Here's the end goal: to write a Flask app that supports login/authentication using Amazon Cognito User Pools. Both frameworks are fairly new to me.

I used warrant serverless authentication to get a JWT access token from Cognito. However, I'm not sure how or what I need to verify the token as valid. I've read through a few answers on this site as well as the following links:

https://aws.amazon.com/premiumsupport/knowledge-center/decode-verify-cognito-json-token/ https://aws.amazon.com/blogs/mobile/integrating-amazon-cognito-user-pools-with-api-gateway/

The first link suggests:

To verify the signature of an Amazon Cognito JWT, first search for the key with a key ID that matches the key ID of the JWT. Then, use libraries to decode the token and verify the signature.

I retrieved a JWK for the public key from the provided link, but I'm not sure how to use it. What libraries could I use to decode the token, keeping in mind I am working in a Python environment? I looked at flask-jwt-extended, but the provided classes and methods don't seem to solve my exact problem. Should I override classes and functions in flask-jwt-extended to get the desired effect?

Or if I'm approaching this problem in the wrong way, any pointers or suggestions?

Answer 1

I ended up mostly figuring this one out, but if anyone else is curious, I used the PyJWT library decode the JWT tokens that Cognito returned. Looked pretty far into flask-jwt-extended, but the provided methods didn't cover the functionality I was looking for.

jwt.algorithms.RSAAlgorithm.from_jwk was useful for decoding the JWK to get its public key