5

We are using AWS Cognito Federated Identities to obtain a Session Token from the AWS Security Token Service, then leverage for securing our APIs via API Gateway. This is working well.

But within our web service, we sometimes must obtain the issuer and subject from the JWT token used to derive the Session Token. For this, we are exploring AWSSecurityTokenServiceClient.

But my question is whether it's possible to simply decode the Session Token without invoking the Security Token Service for every API call. Thoughts?

Randy Leonard
  • 655
  • 7
  • 21
  • the JWT token located in the cookie, if you can get the cookie, you can either decode the JWT token. I hope i get you, if I missed the point, please share with us some more information. – Amit Baranes Sep 28 '19 at 10:13
  • Thanks for your response, but I'm referring to a REST API sent through the AWS API Gateway to a back-end server. The API Gateway examines the IAM roles specified in the Session Token, and either denies or approves the API for passthrough. Once in our back-end microservice, we need to further examine the Session Token for the Issuer and Subject. In other words, there is no cookie. – Randy Leonard Sep 28 '19 at 17:15
  • @RandyLeonard, did you ever figure this out? – jmrah Mar 22 '21 at 15:39
  • Unfortunately not – Randy Leonard Aug 03 '21 at 06:08

3 Answers3

0

Yes, JWT token can be decoded without Security Token Service for every API call.

Please copy-paste the JWT token https://jwt.io and you can see the details.

Robin Varghese
  • 1,158
  • 10
  • 22
  • Agreed that is doable, but all that shows up are three claims, two of which are timestamps. What we are looking for is the issuer and subject of the original JWT token, which I presume is embedded within the Session Token.... nested tokens, that is. – Randy Leonard Oct 01 '19 at 15:22
  • Let me rephrase that... decoding a session token provides just three claims, two of which are timestamps. What we are looking for is the issuer and subject of the original JWT token, which I presume is embedded within the Session Token.... nested tokens, that is. Keep in mind, our services are working only with a Session Token from the Security Token Service, not the JWT token from the Identity Provider. – Randy Leonard Oct 01 '19 at 15:47
0

Sample Cognito JWT Token

This image has a full payload of what you are looking for, session Token and JWT token. I hope this is what you are looking for.

However, please note that only JWT token will be passed in API gateway.

Robin Varghese
  • 1,158
  • 10
  • 22
  • If that is the Session Token created by the AWS Security Token Service, then that is perfect. Especially given it has embedded the Identity and Access tokens. Unfortunately, this is not what I am seeing. I'll provide the full response from the Security Token Service in a separate 'Answer', to illustrate the Session Token from AWS STS does not appear to be a valid JWT token format – Randy Leonard Oct 02 '19 at 04:26
0

Here is an example of the response provided by AWS Security Token Service, via API Call to Cognito Federated Services:

{"IdentityId":"us-east-2:4628a310-f743-43bb-8808-6123c744c664","Credentials":{"AccessKeyId":"ASIATTD56AWGXWG2GGES","SecretKey":"0TOwO2JMgWQLd6FvVrX5m9UKsDcFfQW3goG3NQ8Z","SessionToken":"AgoJb3JpZ2luX2VjEKH//////////wEaCXVzLWVhc3QtMiJHMEUCIQDDTKUnIQtIcztLVmpTsif9b9rj5yUOiBgfPNN3z16S6gIgUAlRFD8V9bpVokR0sqrtxN/5uPtaLf4vHGPAtUokj/kqpgUIehABGgwyNDcyMjQ3MzEwMjEiDE7afe4LMcTOdqF3niqDBbwZENnBEw3XyIdGz1AEPVY51gZ0KxkC7YgoAxpZVedZZUbIeAiGy+Ez2PtTzsVhO1WPiM5DqwTqb3/iuV2XsTXGf43qpTc2WsYypFUI51scF1J+pSGT58yAayTf5wwPi9I1kFWiBcDpuyemLwI2yfZB8hIuAvdr0MW6a7GVHR93xDfsx0T7aCFqZriUQTOpc9clpkQfygdhf7mHeYdMnD/HthZCh3mllS4I86Zzjr8wIypCqrV0A2OhVVvsLddjF8WF4WS0WhNEEQHoUs/jMkDjnrcvPBIeuU/hE2x+UfECmH5vDs0QarfsHR1HiLVL+EghINNF9eG4CzpVu0FBz8meJhPEJLlQMK9MdZ7ZGgtx7ZzT/7a/azoCpriOK9KganXsMfHbwLqnR96bXEC3ebFYtL638y25KZyn7rL/z5Ise/D5KjihQOuuRoxufgUWKoi6Or0r56bSpLhq7KCd0ZUweoKKvX/9RLF2YU0h+FYV4NRxar93jzKEYX63so/gxCaWWb7gRde/qca3fEZHHh0I26/DflrvWar6HDHu3Ee7aYJB/m5n4u1ko6SRvAdwmQ/hn1ttDgvUSpVq28IyxR4Ic9cBaS81ohRInM7i6NTSGHhpd6ij0l0F1Br8Vtr5UJe96xK7aNir3sspYqrSzd6y1DO6fnZKVaFpWDnWo4/SCdSp3F9bM4Q+GNICaT9Rcvyx1nJgofuqY4gdHdxv1PoIL8KEXz72U8aZ/immlhZ5kNrc/aM5KEJ4weE04mZ4u1t3GmN5xLFd7wqOCPUvrzamiEy4GMtm+kBF5rsa+eVRp+YpN2R6CsUpCqw8EEhE3w6RMV578Ah3sO0nBwXQXNQ7nKQwxoa57AU6tAHGr89nNR/Br3UahFBK5o9mQ297nbWB5C6PqCSShsheXzkJww0OdqMwmZgIfvikqnWNZC5KrfobiSancqCXKIRbuLtWcWT6+F9Q+eJQ50Rj1ctdN18H84cfQZYNjHRQVf7iTTcgfq8oqlJtmEavs8T2rvp3a9gp1QQEwjIHdCUQJRwM8h2RYFvLd6s48/XT9sxQj8OAmq8q/gw6/fOiRPFj9yq/Pw38IusTE0MFFwgAJWgUSAo=","Expiration":"2019-09-27T18:13:42.000Z"}}

Note the SessionToken is fairly lengthy, but does not decode when pasting into https://jwt.io

Randy Leonard
  • 655
  • 7
  • 21
  • 3
    Are you providing any solutions in your answer, or are you just pointing out that the STS SessionToken is not a JWT, and thus can't be decoded? – jmrah Mar 22 '21 at 15:38
  • Apologies... I have not been successful in decoding a SessionToken. – Randy Leonard Aug 03 '21 at 06:09
  • @RandyLeonard, in case you still care, I have discovered that the AWS_SESSION_TOKEN seems to be base64 encoded. For instance, decoding the aws token above, I can see this: "origin_ec us-east-2" in the content. But if there is more information encoded into the token than that, it's likely that there is additional encoding in the result. – CStroliaDavis Nov 24 '21 at 13:31