How to verify a JWT token generated with moto mock cognitoidp

Question

i am trying to test my server side handling of cognito JWT tokens in a python application. i am using Moto to create a cognito user pool, create a user in the pool, authenticate the user, and get back a JWT. that all works fine, until i want to verify the JWT so that it can be used to access something on the server.

part of the normal process of verifying a JWT is that you download the public JWK file from your cognito user pool, and use it to verify the signature of the token. there does not appear to be a Moto implementation of downloading the JWK file, so how do you verify a token that was generated using Moto?

Answer 1

This might help:

Use requests to obtain the keys:

    region = "us-west-2"
    cognito_userpool_id = "your_userpool_id"
    keys_url = f"https://cognito-idp.{region}.amazonaws.com/{cognito_userpool_id}/.well-known/jwks.json"

    response = requests.get(keys_url).json()

    keys_array response["keys"]

If your domain code does not use requests to download the keys (perhaps it uses urllib), you can mock that request and return the result of of the code above

Answer 2

Moto has tests for testing token legitimacy - and refer to a jwks.json file in the repository.

Here:

   path = "../../moto/cognitoidp/resources/jwks-public.json"

You could verify your token (generated with moto) using this file? I've not worked out how though. I have noticed that there are both this public file (for verifying) and also a private file (which i guess is using when generating tokens).