Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Easy API for custom jwt claims #19

Closed
shughes-uk opened this issue Oct 3, 2020 · 0 comments
Closed

Easy API for custom jwt claims #19

shughes-uk opened this issue Oct 3, 2020 · 0 comments

Comments

@shughes-uk
Copy link

shughes-uk commented Oct 3, 2020
edited
Loading

Currently we have an an easy access to attributes but not to custom JWT claims added by a pre-token generation lambda

You can can get the decoded ID Token with

Cognito.verify_token(id_token,"id_token","id")

but it's kind of hacky, otherwise you're on your own to decode the ID token and extract the claims.

It would be nice to have a proper route to access these custom claims!
tsibley added a commit to tsibley/pycognito that referenced this issue Feb 25, 2021
@tsibley
Save the verified claims for the id and access token
d8f8b9c 
Very handy to have these available so you can use the default claims
like "cognito:groups" and any custom claims.

Resolves NabuCasa#19.
tsibley added a commit to tsibley/pycognito that referenced this issue Feb 26, 2021
@tsibley
Save the verified claims for the id and access token
2b28249 
Very handy to have these available so you can use the default claims
like "cognito:groups" and any custom claims.

Resolves NabuCasa#19.
mdecuir pushed a commit to MDmetrix/pycognito that referenced this issue Jun 30, 2021
@tsibley @pvizeli
Token handling (NabuCasa#38)
bc92e0e 
* Format exception descriptions which contained unformatted interpolations

* Refactor out user pool base URL templating

…so it can be reused by token verification.

* Fix several weaknesses in token verification

JWTs are made of footguns.  Follow the recommendations in Cognito's
developer guide and avoid some pitfalls with the defaults of the JWT
library in use (jose).

  • Actually verify audience and issuer claims against expected values
    instead of comparing the values to themselves.

  • Require audience, issuer, and expiration claims to be present, as
    otherwise the JWT library in use will silently skip verification.

  • Check token_use claim matches after claim verification to avoid
    using unverified claims at all.

* Consistently set and verify tokens across assignment codepaths

Ensures that the token attributes are accessible, up-to-date, and valid.

* Add verify_tokens() method to manually (re-)check current tokens

It can be useful to call this method after creating a Cognito instance
where you've provided externally-remembered token values.

* Save the verified claims for the id and access token

Very handy to have these available so you can use the default claims
like "cognito:groups" and any custom claims.

Resolves NabuCasa#19.

* README: Correct two typos

* Switch to f-strings for interpolation

As requested during review. I avoided using f-strings initially because
I did not see them used elsewhere in the codebase.

Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>

Co-authored-by: Pascal Vizeli <pascal.vizeli@syshack.ch>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@shughes-uk