AWS Cognito usually responds with 3 JWTs (IDToken, AccessToken, RefreshToken) for each successful login request. There is a fair chance that your application would use these tokens to
- secure API requests.
- manage permissions/roles based authorization to the resources.
& other custom authorization requirements.
Usually, IDToken & AccessToken are verified for such purposes, but not RefreshToken. It is there just to refresh the session.
Both IDToken & AccessToken have some common as well as unique claims so its 100% your own choice to decide where to verify which token according to your use-case.
More on using Tokens here
Find Cognito JWT Verification Algorithm here 👉 github-gist
You can use same algorithm with minor additions/deletions to verify both IDToken & AccessToken. This algorithm is written in TypeScript and follows the steps as described in officical Cognito guide here to verify the JWTs.
cheers :)
Top comments (0)