JWK from Amazon Cognito doesn't contain X5c field

Question

I'm trying to hook up my GO web server to Amazon Cognito for auth. I'm using the jwt-middleware from gorilla. I'm also following the guide from AuthO: https://auth0.com/docs/quickstart/backend/golang/01-authorization

The guide creates a cert using the following:

    for k, _ := range jwks.Keys {
        if token.Header["kid"] == jwks.Keys[k].Kid {
            cert = "-----BEGIN CERTIFICATE-----\n" + jwks.Keys[k].X5c[0] + "\n-----END CERTIFICATE-----"
        }
    }

AWS says to get your JWKs file using https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json

I did that but my file is missing the X5c field. It looks like:

{
    "keys": [{
        "alg": "RS256",
        "e": "AQAB",
        "kid": "abcdefghijklmnopqrsexample=",
        "kty": "RSA",
        "n": "lsjhglskjhgslkjgh43lj5h34lkjh34lkjht3example",
        "use": "sig"
    }, {
        "alg":
        "RS256",
        "e": "AQAB",
        "kid": "fgjhlkhjlkhexample=",
        "kty": "RSA",
        "n": "sgjhlk6jp98ugp98up34hpexample",
        "use": "sig"
    }]
}

How am I supposed to verify the signature of the token sent in through the Authorization header sent by the client using this file?

Thank you for your help!

Answer 1

You need to convert the key to PEM format for use with any OpenSSL or crypto library. In javascript, I used the jwk-to-pem package for node. Which never uses the x5c prop, it uses the n prop on the JWK, which contains the value for the RSA public key.

Answer 2

Check this thread out How to verify a JWT Token from AWS Cognito in Go?

JWT Middleware "github.com/auth0/go-jwt-middleware" used in your example is deeply rooted in how auth.com service handles JWT and may not fully apply to other providers and services.