[Cognito] App client_id is not validated for Cognito JWT (access_token)
tivaliy opened this issue · comments
Vitalii Kulanov commented
I faced with an issue when using congito auth, app client_id
is not validating during token verification. So you can path any ID and it will work.
# pass some fake client_id
auth = Cognito(region=aws_region, userPoolId=aws_cognito_userpool_id, client_id='foo-bar')
# access_token - obtained from Cognito
http_auth = HTTPAuthorizationCredentials(scheme='Bearer', credentials=access_token)
await auth.verifier.verify_token(http_auth)
True
The problem is that jwt.decode
(jose
lib) doesn't expect client_id
in token and since aud
is not defined it skips validation.