How to verify a JWT token generated with moto mock cognitoidp

Question

i am trying to test my server side handling of cognito JWT tokens in a python application. i am using Moto to create a cognito user pool, create a user in the pool, authenticate the user, and get back a JWT. that all works fine, until i want to verify the JWT so that it can be used to access something on the server.

part of the normal process of verifying a JWT is that you download the public JWK file from your cognito user pool, and use it to verify the signature of the token. there does not appear to be a Moto implementation of downloading the JWK file, so how do you verify a token that was generated using Moto?

Did you find anything? I have the same issue – psowa001 Jan 10 '22 at 09:59 — psowa001, Jan 10 '22 at 09:59

score 0 · Answer 1 · answered Feb 14 '22 at 21:50

Moto has tests for testing token legitimacy - and refer to a jwks.json file in the repository.

Here:

   path = "../../moto/cognitoidp/resources/jwks-public.json"

You could verify your token (generated with moto) using this file? I've not worked out how though. I have noticed that there are both this public file (for verifying) and also a private file (which i guess is using when generating tokens).

How to verify a JWT token generated with moto mock cognitoidp

1 Answers1