JWT Verification
The @nestjs-cognito/core package provides two mutually exclusive JWT verification implementations that share the same injection token. The implementation you get depends on your module configuration.
JWT Claims Verification
Both implementations perform comprehensive JWT claims verification according to AWS Cognito standards:
- Expiration Check: Verifies the
expclaim to ensure the token hasn't expired - Audience Validation:
- For ID tokens: Validates the
audclaim matches the app's client ID - For Access tokens: Validates the
client_idclaim matches the app's client ID
- For ID tokens: Validates the
- Issuer Verification: Validates the
issclaim matches your Cognito User Pool's issuer URL format:https://cognito-idp.[REGION].amazonaws.com/[USER_POOL_ID] - Token Use Verification: Validates the
token_useclaim:- Must be
accessfor access tokens - Must be
idfor ID tokens - Can be set to
nullto accept both token types
- Must be
Cognito JWT Verification
When you configure jwtVerifier in your module, this implementation is used to verify JWTs issued by AWS Cognito:
import {
CognitoJwtVerifier,
InjectCognitoJwtVerifier
} from "@nestjs-cognito/core";
export class MyService {
constructor(
@InjectCognitoJwtVerifier()
private readonly jwtVerifier: CognitoJwtVerifier
) {}
async verifyToken(token: string) {
return this.jwtVerifier.verify(token);
}
}
RSA JWT Verification
When you configure jwtRsaVerifier in your module, this implementation is used to verify JWTs using RSA public keys:
import {
JwtRsaVerifier,
InjectCognitoJwtVerifier
} from "@nestjs-cognito/core";
export class MyService {
constructor(
@InjectCognitoJwtVerifier()
private readonly jwtVerifier: JwtRsaVerifier
) {}
async verifyToken(token: string) {
return this.jwtVerifier.verify(token);
}
}