I have been trying to validate the "refresh token" returned by Amazon Cognito Identity Provider via their boto3 python client. I've been using the validator at https://jwt.io.
When I paste the refresh token into the "encoded" box, it returns a header:
{
  "cty": "JWT",
  "enc": "A256GCM",
  "alg": "RSA-OAEP"
}
but the tool also says "invalid signature" at the bottom.
I'm wondering if this is expected behavior? Are AWS Cognito refresh tokens not valid JWTs?
Yes, with this header it appears that the refresh token is a valid JWT.
https://jwt.io is not able to parse it because it is limited to signed JWT (JWS - RFC7515) and this one is an encrypted one (JWE - RFC7516).
Contrary to the JWS, the JWE is composed of 5 parts separated by dots. Its header can be parsed, but the payload is encrypted and cannot be read without the private or shared key.
According to the cty header, this token contains another JWT that is certainly a JWS. This nested token allows both of the two worlds: signed and encrypted claims.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With