AutoIt
AutoIt
Verify a JWT Created by the Amazon Cognito Service
See more JSON Web Token (JWT) Examples
Demonstrates how to verify a JWT created by the Amazon Cognito Service.Chilkat AutoIt Downloads
Local $bSuccess = False
; This example requires the Chilkat API to have been previously unlocked.
; See Global Unlock Sample for sample code.
; The public keys for this example are at https://cognito-idp.us-east-2.amazonaws.com/us-east-2_******/.well-known/jwks.json
; Let's get them:
$oHttp = ObjCreate("Chilkat.Http")
$oSbJsonKeys = ObjCreate("Chilkat.StringBuilder")
$bSuccess = $oHttp.QuickGetSb("https://cognito-idp.us-east-2.amazonaws.com/us-east-2_******/.well-known/jwks.json",$oSbJsonKeys)
If ($bSuccess = False) Then
ConsoleWrite($oHttp.LastErrorText & @CRLF)
Exit
EndIf
$oJsonKeys = ObjCreate("Chilkat.JsonObject")
$oJsonKeys.LoadSb($oSbJsonKeys)
$oJsonKeys.EmitCompact = False
ConsoleWrite($oJsonKeys.Emit() & @CRLF)
; Here are the keys:
; {
; "keys": [
; {
; "alg": "RS256",
; "e": "AQAB",
; "kid": "1A/L5Fsb2EsEwxy5E0cmCMS1BnMe6Jl6NXiMig4iNwU=",
; "kty": "RSA",
; "n": "y0w7BJrIJYi ... jKG27z2P3OKw",
; "use": "sig"
; },
; {
; "alg": "RS256",
; "e": "AQAB",
; "kid": "mos6VTJnvDwurY3ghJg6IAPUq+dMwl6CL/iThzJOkzg=",
; "kty": "RSA",
; "n": "qbIEH-7tg6yrT ... 3Fj94ooTd0w",
; "use": "sig"
; }
; ]
; }
; Try the 1st key.
$oJsonKey1 = ObjCreate("Chilkat.JsonObject")
$oJsonKeys.ObjectOf2("keys[0]",$oJsonKey1)
$oPubKey1 = ObjCreate("Chilkat.PublicKey")
$bSuccess = $oPubKey1.LoadFromString($oJsonKey1.Emit())
If ($bSuccess = False) Then
ConsoleWrite($oPubKey1.LastErrorText & @CRLF)
Exit
EndIf
ConsoleWrite("Success" & @CRLF)
$oJwt = ObjCreate("Chilkat.Jwt")
; I did not include the an actual AWS Cognito token here because our test sample used customer-provided data..
Local $sToken = "eyJ..asXg"
; First verify the signature.
Local $bSigVerified = $oJwt.VerifyJwtPk($sToken,$oPubKey1)
ConsoleWrite("verified: " & $bSigVerified & @CRLF)
; Let's see if the time constraints, if any, are valid.
; The above JWT was created on the afternoon of 16-May-2016, with an expiration of 1 hour.
; If the current system time is before the "nbf" time, or after the "exp" time,
; then IsTimeValid will return false/0.
; Also, we'll allow a leeway of 60 seconds to account for any clock skew.
; Note: If the token has no "nbf" or "exp" claim fields, then IsTimeValid is always true.
Local $iLeeway = 60
Local $bTimeValid = $oJwt.IsTimeValid($sToken,$iLeeway)
ConsoleWrite("time constraints valid: " & $bTimeValid & @CRLF)
; Now let's recover the original claims JSON (the payload).
Local $sPayload = $oJwt.GetPayload($sToken)
; The payload will likely be in compact form:
ConsoleWrite($sPayload & @CRLF)
; We can format for human viewing by loading it into Chilkat's JSON object
; and emit.
$oJson = ObjCreate("Chilkat.JsonObject")
$bSuccess = $oJson.Load($sPayload)
$oJson.EmitCompact = False
ConsoleWrite($oJson.Emit() & @CRLF)
; We can recover the original JOSE header in the same way:
Local $sJoseHeader = $oJwt.GetHeader($sToken)
; The payload will likely be in compact form:
ConsoleWrite($sJoseHeader & @CRLF)
; We can format for human viewing by loading it into Chilkat's JSON object
; and emit.
$bSuccess = $oJson.Load($sJoseHeader)
$oJson.EmitCompact = False
ConsoleWrite($oJson.Emit() & @CRLF)