cognito-jwt

Typescript friendly AWS Cognito AccessToken and IdToken classes.

Nothing spectacular but convenient classes to encapsulate AWS Cognito's ID and access tokens; classes we found useful in various projects.

Overview

This cognito-jwt package provides four convenience classes to access token claims:

• AccessToken
  Provides access to registered claims as specified by the IETF for an access token:
  https://tools.ietf.org/html/rfc7519#section-4
• IdToken
  Provides access to registered claims as specified by Open ID Connect for an id token:
  http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
• CognitoAccessToken
  An extension of the AccessToken class that provides access to the registered claims found in AccessToken and public/private claims added by Cognito.
• CognitoIdToken
  An extension of the IdToken class that provides access to the registered claims found in IdToken and public/private claims added by Cognito.

Versions

Version 1.2:

• Replaces dependency on jwt-decode with jsonwebtoken for token validation. Validation is triggered by passing a PEM formatted string containing the JWT generator's JSON Web Key in the class constructor.
• Adds options to class constructors, typically for testing (e.g., ignoreExpiration).
• Supplements getPayload() method with added methods specific to the token type: getIdTokenPayload(), getAccessTokenPayload(), getCognitoIdTokenPayload(), getCognitoAccessTokenPayload().
• Adds method getPropertyValue(propertyName: string).
• Adds token_use getter to CognitoAccessToken and CognitoIdToken classes.
• Deprecated token_use getter to CognitoAccessToken and CognitoIdToken classes.

Version 1.1:

• cognito_groups, device_key and event_id properties added to CognitoAccessToken.
• cognito_groups and event_id properties added to CognitoIdToken.

Install

$ npm install @xeedware/cognito-jwt

Usage

Without Token Verification

Simply create an instance of CognitoAccessToken and/or CognitoAccessToken with an Access JWT or ID JWT string respectively to access token claims as instance properties.

Typescript:

import {CognitoAccessToken, CognitoIdToken} from '@xeedware/cognito-jwt/dist';

const cognitoAccessTokenString = '<access token string from Cognito>';
const cognitoAccessToken = new CognitoAccessToken(cognitoAccessTokenString);
console.log(cognitoAccessToken.username);
console.log(cognitoAccessToken.exp);

const cognitoIdTokenString = '<id token string from Cognito>';
const cognitoIdToken = new CognitoIdToken(cognitoIdTokenString);
console.log(cognitoIdToken.exp);
console.log(cognitoIdToken.email);

With Token Verification

If you are using this package for server-side token processing you'll definitely want to verify the JWT against your server-side JSON Web Key (JWT).

If the access and id tokens are the result of Cognito User Pool authentication, obtain the User Pool's JSON Web Keys from
https://cognito-idp.{region}.amazonaws.com/{userPoolId}/.well-known/jwks.json.
A list of two JSON Web Keys should result, the first used by the User Pool to generate id tokens and the second for access tokens.
For example:

{
  "keys": [{
    "kid": "1234example=",
    "alg": "RS256",
    "kty": "RSA",
    "e": "AQAB",
    "n": "1234567890",
    "use": "sig"
  }, {
    "kid": "5678example=",
    "alg": "RS256",
    "kty": "RSA",
    "e": "AQAB",
    "n": "987654321",
    "use": "sig"
  }]
}

See https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html.

Once converted to PEM format, is passed as the second argument to the CognitoIdToken or CognitoAccessToken constructor.

Use a tool/library to convert the JWK to PEM.
For example using the jwk-to-pem NPM package:

const jwkToPem = require('jwk-to-pem');

const pem = jwkToPem({
  "kid": "1234example=",
  "alg": "RS256",
  "kty": "RSA",
  "e": "AQAB",
  "n": "1234567890",
  "use": "sig"
});

let cognitoIdToken: CognitoIdToken;
try {
  cognitoIdToken = new CognitoIdToken(jwtString, pem);
} catch (e) {
  console.log(e);
}

On failed verification, an Error will be thrown.

Constructor Options

Class constructors have an optional 3rd parameter: options: VerifyOptions.

Verify Options is from the jsonwebtoken NPM package:

export interface VerifyOptions {
    algorithms?: Algorithm[];
    audience?: string | RegExp | Array<string | RegExp>;
    clockTimestamp?: number;
    clockTolerance?: number;
    complete?: boolean;
    issuer?: string | string[];
    ignoreExpiration?: boolean;
    ignoreNotBefore?: boolean;
    jwtid?: string;
    nonce?: string;
    subject?: string;
    /**
     * @deprecated
     * Max age of token
     */
    maxAge?: string;
}

and is typically used for testing purposes.
For example:

const options: VerifyOptions = {
    ignoreExpiration: true,
}
const cognitoIdToken = new CognitoIdToken(jwtString, pem, options);

Claims

Claims are statements and additional metadata about an entity (a user in the case of access and id tokens). There are three types of claims:

• Registered claims
  A predefined set of recommended claims for the particular type of token (e.g. access vs id tokens).
• Public claims
  Custom claims agreed upon to be shared between parties that can be found registered with the IANA JSON Web Token Registry.
• Private claims
  Custom claims created to be shared between parties that are neither registered or public claims.

You can use the getPropertyValue(propertyName: string) method of any of the classes. For example:

const claimValue = myCognitoAccessToken.getPropertyValue('aud');

or use the getters described below (preferred).

AccessToken

The AccessToken contains registered claims as specified by the IETF for an access token:
https://tools.ietf.org/html/rfc7519#section-4

Obtain its value from the AccessToken class getter of the same name.
For example myAccessToken.aud for aud.
Since all AccessToken claims are optional, the returned value may be undefined.

Claims are:

• aud
  Audience: Identifies the recipients to whom this JWT is intended.
• exp
  Expiration Time: The time on or after which the JWT MUST NOT be accepted for processing.
  The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
• iat
  Issued At: The time at which the JWT was issued.
  The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
• iss
  Issuer: Identifies the principle who issued the JWT.
• jti
  JWT ID: Unique identifier (GUID) for the JWT.
• nbf
  Not Before: The time before which the JWT MUST NOT be accepted for processing.
  The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
• sub
  Subject: A GUID that identifies the principle who is the subject of the JWT.

CognitoAccessToken

The CognitoAccessToken extends AccessToken containing public and private claims added to the registered claims available in the AccessToken.

Obtain its value from the CognitoAccessToken class getter of the same name.
For example myCognitoAccessToken.auth_time for auth_time.
Since all CognitoAccessToken claims are optional, the returned value may be undefined.

Added claims are:

• auth_time
  Authentication Time: Time when the authentication occurred.
  The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
• client_id
  Client ID: The AWS Cognito User Pool Application Client ID the token was issued to.
• cognito_groups
  Stored in the JwtPayload as cognito:groups property, this array of strings list the groups to which the authenticated AWS Cognito User Pool user belongs.
• device_key
  Key assigned to device that is being used by the authenticated user.
• email
  Email: Preferred email address of the authenticated user.
• email_verified
  Email Verified: A true or false value indicating if the user's email address has been verified.
• event_id
  Assigned event id (a UUID);
• scope
  String containing a space-separated list of scopes associated with this token.
• token_use
  Token Use: access or id.
• username
  The username of the authenticated AWS Cognito User Pool user.

IdToken

The IdToken contains registered claims as specified by Open ID Connect for an id token:
http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims

Obtain its value from the IdToken class getter of the same name.
For example myIdToken.address for address.
Since all IdToken claims are optional, the returned value may be undefined.

The claims are (descriptions from Open ID Connect specification):

• address
  End-User's preferred postal address.
  The value of the address member is a JSON [RFC4627] structure containing some or all of the members defined in Section 5.1.1.
• birthdate
  End-User's birthday, represented as an ISO 8601:2004 [ISO8601‑2004] YYYY-MM-DD format.
  The year MAY be 0000, indicating that it is omitted. To represent only the year, YYYY format is allowed. Note that depending on the underlying platform's date related function, providing just year can result in varying month and day, so the implementers need to take this factor into account to correctly process the dates.
• email
  End-User's preferred e-mail address.
  Its value MUST conform to the RFC 5322 [RFC5322] addr-spec syntax. Relying Party (RP) MUST NOT rely upon this value being unique, as discussed in Section 5.7.
• email_verified
  True if the End-User's e-mail address has been verified; otherwise false.
  When this Claim Value is true, this means that authentication provider took affirmative steps to ensure that this e-mail address was controlled by the End-User at the time the verification was performed. The means by which an e-mail address is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating.
• family_name
  Surname(s) or last name(s) of the End-User.
  Note that in some cultures, people can have multiple family names or no family name; all can be present, with the names being separated by space characters.
• gender
  End-User's gender.
  Values defined by this specification are female and male. Other values MAY be used when neither of the defined values are applicable.
• given_name
  Given name(s) or first name(s) of the End-User.
  Note that in some cultures, people can have multiple given names; all can be present, with the names being separated by space characters.
• locale
  End-User's locale, represented as a BCP47 [RFC5646] language tag.\ This is typically an ISO 639-1 Alpha-2 [ISO639‑1] language code in lowercase and an ISO 3166-1 Alpha-2 [ISO3166‑1] country code in uppercase, separated by a dash. For example, en-US or fr-CA. As a compatibility note, some implementations have used an underscore as the separator rather than a dash, for example, en_US; Relying Parties MAY choose to accept this locale syntax as well.
• middle_name
  Middle name(s) of the End-User.
  Note that in some cultures, people can have multiple middle names; all can be present, with the names being separated by space characters. Also note that in some cultures, middle names are not used.
• name
  End-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
• nickname
  Casual name of the End-User that may or may not be the same as the given_name. For instance, a nickname value of Mike might be returned alongside a given_name value of Michael.
• phone_number
  End-User's preferred telephone number. E.164 [E.164] is RECOMMENDED as the format of this Claim, for example, +1 (425) 555-1212 or +56 (2) 687 2400. If the phone number contains an extension, it is RECOMMENDED that the extension be represented using the RFC 3966 [RFC3966] extension syntax, for example, +1 (604) 555-1234;ext=5678.
• phone_number_verified
  True if the End-User's phone number has been verified; otherwise false.\ When this Claim Value is true, this means that the OP took affirmative steps to ensure that this phone number was controlled by the End-User at the time the verification was performed. The means by which a phone number is verified is context-specific, and dependent upon the trust framework or contractual agreements within which the parties are operating. When true, the phone_number Claim MUST be in E.164 format and any extensions MUST be represented in RFC 3966 format.
• picture
  URL of the End-User's profile picture.
  This URL MUST refer to an image file (for example, a PNG, JPEG, or GIF image file), rather than to a Web page containing an image. Note that this URL SHOULD specifically reference a profile photo of the End-User suitable for displaying when describing the End-User, rather than an arbitrary photo taken by the End-User.
• preferred_username
  Shorthand name by which the End-User wishes to be referred to at the Relying Party, such as janedoe or j.doe.
  This value MAY be any valid JSON string including special characters such as @, /, or whitespace. The Relying Party MUST NOT rely upon this value being unique, as discussed in Section 5.7.
• profile
  URL of the End-User's profile page.
  The contents of this Web page SHOULD be about the End-User.
• sub
  Subject - Identifier for the End-User at the Issuer.
• updated_at
  Time the End-User's information was last updated.
  The number of seconds from 1970-01-01T0:0:0Z s measured in UTC.
• website
  URL of the End-User's Web page or blog.
  This Web page SHOULD contain information published by the End-User or an organization that the End-User is affiliated with.
• zoneinfo
  String from zoneinfo [zoneinfo] time zone database representing the End-User's time zone. For example, Europe/Paris or America/Los_Angeles.

CognitoIdToken

The CognitoIdToken extends IdToken containing public and private claims added to the registered claims available in the IdToken.

Obtain its value from the CognitoIdToken class getter of the same name.
For example myCognitoIdToken.auth_time for auth_time.
Since all CognitoIdToken claims are optional, the returned value may be undefined.

Added claims are:

• aud
  Audience: Identifies the recipients to whom this JWT is intended.
• auth_time
  Authentication Time: Time when the authentication occurred.
  The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
• cognito_groups
  Stored in the JwtPayload as cognito:groups property, this array of strings list the groups to which the authenticated AWS Cognito User Pool user belongs.
• cognito_username
  Stored in the JwtPayload as cognito:username property, this is the username of the authenticated AWS Cognito User Pool user.
• exp
  Expiration Time: The time on or after which the JWT MUST NOT be accepted for processing.
  The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
• event_id
  Assigned event id (a UUID);
• iss
  Issuer: Identifies the principle who issued the JWT.
• iat
  Issued At: The time at which the JWT was issued.
  The number of seconds from 1970-01-01T0:0:0Z as measured in UTC.
• scope
  String containing a space-separated list of scopes associated with this token.
• token_use
  Token Use: access or id.

References

• RFC7519 JSON Web Token (JWT)
• JWT Introduction

License

MIT