borisrozumnuk / cognitojwt Goto Github PK

View Code? Open in Web Editor NEW

73.0 4.0 24.0 53 KB

Decode and verify Amazon Cognito JWT tokens

License: MIT License

Python 100.00%

aws cognito jwt python asyncio

cognitojwt's Introduction

Decode and verify Amazon Cognito JWT tokens

Repository is archived. You can utilize any stable JWT library that supports JWKS.

Note: tested on Python >= 3.6, compatible with PEP-492 (async/await coroutines syntax)

Installation

Package works in two modes: synchronous - requests as http-client and asynchronous - aiohttp as http-client. In order to avoid installing unnecessary dependencies I separated installation flow into two modes:

Async mode - pip install cognitojwt[async]
Sync mode - pip install cognitojwt[sync]

Usage

import cognitojwt

id_token = '<YOUR_TOKEN_HERE>'
REGION = '**-****-*'
USERPOOL_ID = 'eu-west-1_*******'
APP_CLIENT_ID = '1p3*********'

# Sync mode
verified_claims: dict = cognitojwt.decode(
    id_token,
    REGION,
    USERPOOL_ID,
    app_client_id=APP_CLIENT_ID,  # Optional
    testmode=True  # Disable token expiration check for testing purposes
)

# Async mode
verified_claims: dict = await cognitojwt.decode_async(
    id_token,
    REGION,
    USERPOOL_ID,
    app_client_id=APP_CLIENT_ID,  # Optional
    testmode=True  # Disable token expiration check for testing purposes
)

Note: if the application is deployed inside a private vpc without internet gateway, the application will not be able to download the JWKS file. In this case set the AWS_COGNITO_JWKS_PATH environment variable referencing the absolute or relative path of the jwks.json file.

It is possible to allow multiple app client ids by passing the value as a Container instance such as a list or tuple:

ALLOWED_CLIENT_IDS = ('client_one', 'client_two')

verified_claims: dict = cognitojwt.decode(
    id_token,
    REGION,
    USERPOOL_ID,
    app_client_id=ALLOWED_CLIENT_IDS,
    testmode=True  # Disable token expiration check for testing purposes
)

cognitojwt's People

Contributors

Stargazers

Watchers

cognitojwt's Issues

When requests is not installed it gives wrong error messages.

I was getting AttributeError: module 'cognitojwt' has no attribute 'decode' but the actual issue was I didn't had requests installed.

try:
import requests
from .jwt_sync import decode
all.append('decode')
except ImportError:
pass

this explicit pass should be handled

Trying to use flask_jwt_extended.set_access_cookies giving error

examples would help

Hi Boris,

Tried this out and got this back at python console:

dict
<class 'dict'>

I can't figure out how to query this class. please advise, and suggest you add some examples in the doc.

ImportError: cannot import name 'decode_async' from 'cognitojwt'

Hi guys, after updating on the new 1.5.0 version we've started to get such an error. The package were installed with additional async dep as cognitojwt[async].

ImportError: cannot import name 'decode_async' from 'cognitojwt' caused incorrect imports in:

cognitojwt/jwt_async.py
cognitojwt/jwt_sync.py

Instead of from jose.util import urlsafe_b64decode should be from joserfc.util import urlsafe_b64decode.

    from cognitojwt import decode_async as cognito_jwt_decode
E   ImportError: cannot import name 'decode_async' from 'cognitojwt' (.../lib/python3.12/site-packages/cognitojwt/__init__.py)

Security vulnerability in `ecdsa`

cognitojwt depends on python-jose, which in turn depends on ecdsa.
The latter has a high level vulnerability: GHSA-wj6h-64fc-37mp

Seems like ecdsa is not going to fix the issue: GHSA-wj6h-64fc-37mp
And python-jose has not had updates for ages.

Is it possible to switch from using python-jose to any other, more frequently updated library?
For example, joserfc?

I cannot import it

Thank you for sharing. After installing it under a 3.6 venv :
I get this error:

In [1]: import cognitojwt                                                                                                                                              
---------------------------------------------------------------------------
ImportError                               Traceback (most recent call last)
<ipython-input-1-763e27221cb4> in <module>
----> 1 import cognitojwt

~/projects/python/switch_ui_angular/venv/lib/python3.6/site-packages/cognitojwt/__init__.py in <module>
----> 1 from .async import decode_async
      2 from .cognito import decode
      3 from .exceptions import CognitoJWTException
      4 
      5 name = "cognitojwt"

~/projects/python/switch_ui_angular/venv/lib/python3.6/site-packages/cognitojwt/async.py in <module>
      6 from jose.utils import base64url_decode
      7 
----> 8 from . import PUBLIC_KEYS_URL_TEMPLATE
      9 from .exceptions import CognitoJWTException
     10 from .token_utils import get_unverified_headers, get_unverified_claims, check_expired, check_aud

ImportError: cannot import name 'PUBLIC_KEYS_URL_TEMPLATE'

cognitojwt has no attribute 'decode'

>>> import cognitojwt
>>>
>>> id_token = '<YOUR_TOKEN_HERE>'
>>> REGION = '**-****-*'
>>> USERPOOL_ID = 'eu-west-1_*******'
>>> APP_CLIENT_ID = '1p3*********'
>>>
>>> # Sync mode
>>> verified_claims: dict = cognitojwt.decode(
...     id_token,
...     REGION,
...     USERPOOL_ID,
...     app_client_id=APP_CLIENT_ID,  # Optional
...     testmode=True  # Disable token expiration check for testing purposes
... )
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: module 'cognitojwt' has no attribute 'decode'
>>>

Module 'cognitojwt' has no attribute 'decode' when deploying on lambda

Hi,

I'm trying to use this on a lambda.

So I moved your package in a zip along with my function and uploaded.

Then my code is straightforward and works on my laptop - it's the same as the example:

import cognitojwt

id_token = '....'
REGION = 'us-east-2'
USERPOOL_ID = 'us-east-2_XXXX'
APP_CLIENT_ID = '5XXXXX'
verified_claims: dict = cognitojwt.decode(id_token,REGION,USERPOOL_ID, app_client_id=APP_CLIENT_ID, testmode=True)

print (verified_claims)`

However, when running to lambda i get
> "errorMessage": "module 'cognitojwt' has no attribute 'decode'",

I think this has to do with how when doing pip install cognitojwt**[sync]**, the [sync] makes something happens that is not reproduced by just moving the cognitojwt in a zip folder...

Any idea for me to investigate would be appreciated :)

Typo in the AWS_COGNITO_JWSK_PATH name?

Shouldn't the AWS_COGNITO_JWSK_PATH environment variable be named AWS_COGNITO_JWKS_PATH?

borisrozumnuk / cognitojwt Goto Github PK

cognitojwt's Introduction

Decode and verify Amazon Cognito JWT tokens

Repository is archived. You can utilize any stable JWT library that supports JWKS.

Note: tested on Python >= 3.6, compatible with PEP-492 (async/await coroutines syntax)

Installation

Usage

cognitojwt's People

Contributors

Stargazers

Watchers

Forkers

cognitojwt's Issues

Recommend Projects

Recommend Topics

Recommend Org

Jobs