Checking a JWT validity using JWKs in Clojure (tested with Cognito)

jwt.clj

(ns services.jwt
  (:require [buddy.sign.jwt :as jwt]
            [clojure.data.codec.base64 :as b64]
            [clojure.string :as str]
            [cheshire.core :as json]
            [buddy.core.keys :as keys] ;; You need to use [buddy/buddy-core "1.5.0-SNAPSHOT"]
            [clojure.java.io :as io]))

(defn decode-b64 [str] (String. (b64/decode (.getBytes str))))
(defn parse-json [s]
  ;; beware, I got some tokens from AWS Cognito where the last '}' was missing in the payload
  (let [clean-str (if (str/ends-with? s "}") s (str s "}"))]
    (json/parse-string clean-str keyword)))

(defn decode [token]
  (let [[header payload _] (clojure.string/split token #"\.")]
    {:header  (parse-json (decode-b64 header))
     :payload (parse-json (decode-b64 payload))}))

(def token "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.aUxz0yQGItWdwmzz-P9hn1Od-dm_fhjoswCluICgga8")


;; GET TOKEN CONTENT

(decode token)
;; => {:header {:alg "HS256", :typ "JWT"}, :payload {:sub "1234567890", :name "John Doe", :iat 1516239022}}


;; VERIFY TOKEN USING HS256
(jwt/unsign token "clojure" {:alg :hs256}) ;; "clojure" is the secret I put in the bottom left pane in https://jwt.io

;; VERIFY TOKEN USING RS256 (JWK)
(let [public-key (-> "keys/dev/jwks.json" io/resource slurp (json/parse-string keyword) :keys first keys/jwk->public-key)]
  (try
    (jwt/unsign token public-key {:alg :rs256})
    (catch Throwable t
      {:error   true
       :details (ex-data t)})))
;; => {:error true, :details {:type :validation, :cause :signature}}
;;    :signature error since I got this token on https://jwt.io and tried to unsign it using my own JWK
;;    I don't want to past a private token in this public gist ;) .
;;    Drop a comment if you need more info.