Description
I have some JWTs obtained from AWS/Cognito with the Elastic Load Balancer performing authentication for me. I also have the associated public key from the documented endpoints for the Cognito userpool. However the jsonwebtoken library says the signature is invalid (JsonWebTokenError: invalid signature), except when I use the same input (same JWT and public key in PEM format) in PyJWT Python code, this decodes/verifies without issue. There is no information to point to why jsonwebtoken is unable to verify the JWT/PEM when another library (PyJWT) can. I have tried ignoring any expiration checking in case this is the cause of the "invalid signature", such as ignoreExpiration, clockTolerance, and maxAge, without success. The only discrepancy I can see is the jsonwebtoken library must remove the base64 padding (=) from the JWT first.
Is there any known reason why jsonwebtoken would be unable to verify a signature which can be verified with another library? Perhaps some assumptions about the format/layout/syntax of the inputs which AWS/Cognito is not respecting.
Reproduction
Python code:
import jwt
import requests
import base64
import json
encoded_jwt = """eyJ0e
......
tE5Bg=="""
pub_key = """-----BEGIN PUBLIC KEY-----
MFkw
.....
J5og==
-----END PUBLIC KEY-----"""
payload = jwt.decode(encoded_jwt, pub_key, algorithms=['ES256'], leeway=10000)
print('Payload: '+ str(payload)) #This works fine
TypeScript code:
userJWT = userJWT.replace(/=/g, '');
// This fails, with JsonWebTokenError: invalid signature
return jsonwebtoken.verify(userJWT, this.pem,
{algorithms: ['ES256'], ignoreExpiration: true, clockTolerance: 100000, maxAge: "1 day"});
Environment
Please provide the following:
- Version of this library used:
- jsonwebtokens=8.5.1
- PyJWT = 1.7.1
- Version of the platform or framework used, if applicable:
- Python 3.8.10
- Node v17.4.0
- Other relevant versions (language, server software, OS, browser):
- Ubuntu 21.04 (Kernel 5.14)
- Other modules/plugins/libraries that might be involved:
Description
I have some JWTs obtained from AWS/Cognito with the Elastic Load Balancer performing authentication for me. I also have the associated public key from the documented endpoints for the Cognito userpool. However the jsonwebtoken library says the signature is invalid (JsonWebTokenError: invalid signature), except when I use the same input (same JWT and public key in PEM format) in PyJWT Python code, this decodes/verifies without issue. There is no information to point to why jsonwebtoken is unable to verify the JWT/PEM when another library (PyJWT) can. I have tried ignoring any expiration checking in case this is the cause of the "invalid signature", such as ignoreExpiration, clockTolerance, and maxAge, without success. The only discrepancy I can see is the jsonwebtoken library must remove the base64 padding (=) from the JWT first.
Is there any known reason why jsonwebtoken would be unable to verify a signature which can be verified with another library? Perhaps some assumptions about the format/layout/syntax of the inputs which AWS/Cognito is not respecting.
Reproduction
Python code:
TypeScript code:
Environment