Verify Cognito Token

Verify either the ID token or the access token provided by AWS Cognito.

This is a Node friendly refactor of AWS labs' decode-verify-jwt. The process is explained in the section Using ID Tokens and Access Tokens in your Web APIs from this AWS Document.

Install with npm install verify-cognito-token -S

Usage

// params
const params = {
  region: '<your-aws-region>',  // required
  userPoolId: '<your-user-pool-id>', // required
  debug: true // optional parameter to show console logs
}

//optional claims examples
const claims = {
  aud: '<your-app-client-id>',
  email_verified: true,
  auth_time: time => time <= 1524588564,
  'cognito:groups': groups => groups.includes('Admins')
}

const Verifier = require('verify-cognito-token');
const verifier = new Verifier(params, claims);

verifier.verify(token)
.then(result =>{
  //result will be `true` if token is valid, non-expired, and has matching claims
  //result will be `false` if token is invalid, expired or fails the claims check
})

The userPoolId parameter is available from Cognito/Manage Your User Pools/Your-Pool-Name/General Settings.

The claims parameter is an optional parameter used to match against the token's claims. Its keys are claim names and its values can be any of [string, number, boolean, function]. If the value is any of [string, number, boolean] it is checked for strict equality against the token's claim with a matching name. If it is a function, the function is run against the claim. Do not try to match against an object or an array; rather use a function to test for a particular property.

License

MIT