Giters

tokusumi / fastapi-cloudauth

Simple integration between FastAPI and cloud authentication services (AWS Cognito, Auth0, Firebase Authentication).

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[Cognito] App client_id is not validated for Cognito JWT (access_token)

tivaliy opened this issue · comments

commented

I faced with an issue when using congito auth, app client_id is not validating during token verification. So you can path any ID and it will work.

# pass some fake client_id
auth = Cognito(region=aws_region, userPoolId=aws_cognito_userpool_id, client_id='foo-bar')

# access_token - obtained from Cognito
http_auth = HTTPAuthorizationCredentials(scheme='Bearer', credentials=access_token)

await auth.verifier.verify_token(http_auth)
True

The problem is that jwt.decode (jose lib) doesn't expect client_id in token and since aud is not defined it skips validation.