Small utility library to validate JWT tokens as generated from the AWS ALB "authenticate with Cognito" rule. There are two tokens packaged in the http request headers as described here:
x-amzn-oidc-accesstoken: containing standard JWT access tokenx-amzn-oidc-data: proprietary ALB user claims token
The first one can be validated in a "standard" way, the second one uses non-standard way for the necessary public keys. These are basically shared on a specific URL as PEM files. This library is wrapper around:
Access token validation is implemented in AWSAlbAccessTokenValidator. It uses custom implementation of SigningKeyResolver
whcih wraps UrlJwkProvider in a GuavaCachedJwkProvider. Caching is done for 5 keys and 5 days.
It must be configured with the AWS Cognito User Pool url. Besides the standard validations, the token will be additionally checked that the issurl mathes the provided
Cognito User Pool url and that the token contains a claim "token_use": "access". The necessary public keys will be fetched from the "well-known" jwks.json URL.
This is more tricky part, because the public key is not provided as JWK and can not be fetched from the well-known URLs. For this a customer implementation is provided in AWSAlbUserClaimsJwkProvider. It uses HttpPublicKeyRemoteReader to access the public key from the AWS ALB regional endpoint, as described here. The public key, received as PEM is converted to PublicKey and cached in the AWSAlbUserClaimsJwkProvider. The caching is configured with 5 keys and 24 hours.
The token validation exceptions from the underlying frameworks are wrapped within an instance of InvalidTokenException. Problems with the conversion of the PEM file to public key are reported by PEMDecodingException.