django-cognito-jwt icon indicating copy to clipboard operation
django-cognito-jwt copied to clipboard

Published 20 hours ago verified publisher icon labd

Unable to accept Cognito Access Tokens

Open xavfernandez opened this issue 5 years ago • 2 comments

Cognito access tokens are lacking the aud field (cf https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html#amazon-cognito-user-pools-using-the-access-token) making their decoding impossible/invalid with this library since the audience is provided & expected at the decoding step: https://github.com/labd/django-cognito-jwt/blob/master/src/django_cognito_jwt/validator.py#L64.

Would you be willing to accept a PR making the audience optional ?

xavfernandez avatar Sep 05 '19 09:09 xavfernandez

Same happening to me. Authentication works by providing the IdToken, but it doesn't using the normal AccessToken. I would rather use AccessToken because the IdToken contains some sensitive user data (like email, etc) that I would prefer not to send around in a token.

martinzugnoni avatar Jun 26 '20 22:06 martinzugnoni

Just a note: the module will accept the access token is the COGNITO_AUDIENCE setting is set to None.

danni avatar Apr 07 '21 07:04 danni