A Rust library for verifying Json Web Tokens issued by AWS Cognito
jsonwebtokens-cognito = "0.1.0-alpha"
let keyset = KeySet::new("eu-west-1", "my-user-pool-id")?;
let verifier = keyset.new_id_token_verifier(&["client-id-0", "client-id-1"])
.string_equals("custom_claim0", "value")
.string_equals("custom_claim1", "value")
.build()?;
let claims = keyset.verify(token, &verifier).await?;This library builds on top of jsonwebtokens token verifiers.
The keyset will fetch from the appropriate .jwks url when verifying the first
token or, alternatively the cache can be primed by calling
keyset.prefetch_jwks():
let keyset = KeySet::new("eu-west-1", "my-user-pool-id")?;
keyset.prefetch_jwks().await?;If you need to perform token verification in a non-async context, or don't
wan't to allow network I/O while verifying tokens then if you have explicitly
prefetched the jwks key set you can verify tokens with try_verify:
let keyset = KeySet::new("eu-west-1", "my-user-pool-id")?;
keyset.prefetch_jwks().await?;
let verifier = keyset.new_id_token_verifier(&["client-id-0", "client-id-1"])
.string_equals("custom_claim0", "value")
.string_equals("custom_claim1", "value")
.build()?;
let claims = keyset.try_verify(token, verifier).await?;try_verify() will return a CacheMiss error if the required key has not been prefetched
A Keyset is Send safe so it can be used for authentication within a multi-threaded server.
let keyset = KeySet::new(AWS_REGION, AWS_POOL_ID)?;
let verifier = keyset.new_access_token_verifier(&[AWS_CLIENT_ID]).build()?;
keyset.verify(&token_str, &verifier).await?;let keyset = KeySet::new(AWS_REGION, AWS_POOL_ID)?;
let verifier = keyset.new_id_token_verifier(&[AWS_CLIENT_ID]).build()?;
keyset.verify(&token_str, &verifier).await?;let keyset = KeySet::new(AWS_REGION, AWS_POOL_ID)?;
let verifier = keyset.new_access_token_verifier(&[AWS_CLIENT_ID])
.string_equals("my_claim", "foo")
.build()?;
keyset.verify(&token_str, &verifier).await?;See jsonwebtokens for more examples of how to verify custom claims.