Linked Questions

Popular Questions

Return aud from AWS Cognito refresh_token results

Asked by At

I am using AWS Cognito for authenticating users.

I have created a server using Kosjs and used koa-jwt library to verify if users have valid id_tokens.

koa-jwt expects an aud property in the id_token which initially exists in the id_token returned by AWS Cognito.

But when I use the refresh token to get a new token, the new token contains client_id instead of aud.

Because of this, the koa-jwt doesn't verify the id_token anymore.

Is there any way to get a consistent result from AWS Cognito?

This is the sample id_token after login:

{
  "sub": "1Xfe6c44-XXXX-4cbf-9fb2-2778a1b0e5be",
  "email_verified": true,
  "iss": "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxOUKTJu",
  "phone_number_verified": true,
  "cognito:username": "[email protected]",
  "given_name": "Some1",
  "aud": "xxxxf9f0lmr1q6ni2c09umdds",
  "event_id": "9cf03730-xxxx-11e9-a89f-67080ff7c936",
  "token_use": "id",
  "auth_time": 1546931916,
  "phone_number": "+16806666986",
  "exp": 1546935516,
  "iat": 1546931916,
  "family_name": "Some2",
  "email": "[email protected]"
}

and this is the sample id_token returned by refresh_token:

{
  "sub": "16fe6c44-xxxx-xxxx-9fb2-2778a1b0e5be",
  "event_id": "9cf03730-xxxx-xxxx-a89f-67080ff7c936",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1546931916,
  "iss": "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_xxxxxKTJu",
  "exp": 1546939290,
  "iat": 1546935690,
  "jti": "6fab7b58-xxxx-xxxx-a339-ddb6467e2d4c",
  "client_id": "xxxxx9f0lmr1q6ni2c09umdds",
  "username": "[email protected]"
}

Related Questions