Skip to content

Instantly share code, notes, and snippets.

Forked from rondomondo/
Created September 13, 2021 01:21
Show Gist options
  • Save knxroot/0c9bacb1b59134d1031661b855058c48 to your computer and use it in GitHub Desktop.
Save knxroot/0c9bacb1b59134d1031661b855058c48 to your computer and use it in GitHub Desktop.
Two methods/examples of how to decode and verify the signature of AWS cognito JWT web tokens externally. This uses RSA key pair and alternatively PKCS1_v1_5. See for example of signing and verification by downloading an ISSUERS PKI SSL certificate from the signers website, and h…
#!/usr/bin/env python
import os
import time
import json
import base64
import requests
import argparse
from base64 import urlsafe_b64decode, b64decode
from Crypto.Hash import SHA256, SHA512
from Crypto.Signature import PKCS1_v1_5
from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long
import jwt
Two methods/examples of how to decode and verify the signature of AWS cognito JWT web tokens externally
def maybe_pad(s):
return (s + '=' * (4 - len(s) % 4))
def get_token_segments(token):
A valid token will have at least two seqments. Segments are delimited by
a period '.'
header, payload, signature = token.split(".")
The JWT spec tells us the header MUST be urlsafe B64 encoded. Decode it
but first add any padding (by adding one or more =) that may be needed
Get the header json object that was stringified, it will be returned a
string of bytes
header_json_str = urlsafe_b64decode(maybe_pad(header))
get the payload json object that was stringified, it will be returned a
string of bytes
payload_json_str = urlsafe_b64decode(maybe_pad(payload))
get the signature that was stringified, it will be returned a string of
bytes. It is not an object but rather the signature byte string, so full
of non printable characters
signature_bytes = urlsafe_b64decode(maybe_pad(signature))
convert header and payload back into objects. The signature is already
a byte string
NB: The order of the keys in the dict/object that results from the
json.loads call will not be ordered in any way so watch out if you
expect the transformations to be reversable
object -> json.dumps -> string <==> string -> json.loads -> object
This can trip you up if you decode a header and payload, then try to recode
it and expect the signature to work out.
header_json = json.loads(header_json_str, 'utf-8')
payload_json = json.loads(payload_json_str, 'utf-8')
return header_json, payload_json, signature_bytes
def get_EXP(token):
payload_json = get_token_segments(token)[1]
exp = payload_json['exp']
print "Time now: %s" % (time.strftime('%Y-%m-%d %H:%M:%S',
print "Expires: %s" % (time.strftime('%Y-%m-%d %H:%M:%S',
return exp
def get_AUD(token):
payload_json = get_token_segments(token)[1]
aud = payload_json['aud']
return aud
def get_ISS(token):
payload_json = get_token_segments(token)[1]
iss = payload_json['iss']
return iss
def get_ALG(token):
header_json = get_token_segments(token)[0]
alg = header_json['alg']
return alg
def get_KID(token):
header_json = get_token_segments(token)[0]
kid = header_json['kid']
return kid
def get_modulus_and_exponant(jwk_sets, kid, algorithm, force_fail=False):
print("Looking for kid=%s algo=%s in the jwt key sets" % (kid, algorithm))
for jwks in jwk_sets['keys']:
if (force_fail and jwks['kid'] != kid) or (jwks['kid'] == kid and
jwks['alg'] == algorithm):
e_b64 = jwks['e']
n_b64 = jwks['n']
e_bytes = b64decode(e_b64)
n_bytes = b64decode(n_b64)
exponant = bytes_to_long(e_bytes)
modulus = bytes_to_long(n_bytes)
return modulus, exponant
def get_jwks_json(token):
iss = get_ISS(token)
url = "%s%s" % (iss, '/.well-known/jwks_uri')
print("jwks_uri url: %s" % url)
hfn =
if not os.path.exists("/tmp/%s" % (hfn)):
r = requests.get(url)
if r.status_code == 200:
with open("/tmp/%s" % (hfn), "w") as outfile:
return r.json()
with open("/tmp/%s" % (hfn), "r") as infile:
return json.loads(
def construct_RSA_publickey(exponant, modulus):
publicKey = RSA.construct((exponant, modulus))
return publicKey.publickey().exportKey(), publicKey.publickey()
def main(token):
u""" the upstream base64 decode routines expect sr types so convert if needed """
if type (token) = unicode:
token = token.encode('utf-8')
Extract the KeyID and some other useful information to validate the token.
Note: For other than this demo case, in real world uses we would obviously not
check the validity of AUD, ISS against itself but rather values you expect
kid = get_KID(token)
alg = get_ALG(token)
aud = get_AUD(token)
The AWS Cognito JWT is digitally signed by the private key
half of the ISSUERS RSA key pair. We can find who the ISSUER
was by looking for the 'iss' key in payload. To verify the token
signature there are a few basic steps.
Step 1:
Get the corrosponding Public Key half of the RSA key pair that
signed the token.
We get it from the URL addressed via:
ISS + '/.well-known/jwks_uri'
jwk_sets = get_jwks_json(token)
The particular key we want is the key set that matches the 'kid' in the
token header. It'll look something like this:
"kty": "RSA",
"alg": "RS512",
"use": "sig",
"kid": "ap-southeast-22",
"n": "AJZzNUBnF1H6rFFiqJbiziWW7VVbyo............Ws35b7",
"e": "AQAB"
Step 2:
Note the key type and hash algorithm. Extract the modulus
(the n value) and the exponant (the e value) from the key set
modulus, exponant = get_modulus_and_exponant(jwk_sets, kid, alg)
u""" Using the modulus and exponant construct the Public key and
return it in PEM format. It will look something like this:
-----END PUBLIC KEY-----
pem, publicKey = construct_RSA_publickey(modulus, exponant)
Step 3a
Using the pyjwt module we can now try to decode & verify the token
#pip install pyjwt
Use the correct AUD, PEM etc., values below as required. In this case they will
always be right because we just extrated from the token itself.
payload_decoded_and_verified = jwt.decode(token, pem, audience=aud,
algorithms=[alg], verify=True)
possible errors/exceptions from pyjwt
jwt.exceptions.ExpiredSignatureError: Signature has expired
see the u'exp': 1483323209 value in the payload
jwt.exceptions.DecodeError: Signature verification failed
if payload_decoded_and_verified:
print ("verify successful.\npayload:\n%s\n" %
print ("verify failed")
Or, alternatively, using the PKCS1_v1_5 module you can also verify it.
Step 3b
Note: One thing to watch out for here is that the order of the keys in the
header payload matters, so if you decode a header from a token to a dict eg
dict = json.loads(base64.urlsafe_b64decode(header)) and then encode it back
the order of the keys may be different as a python dict is unordered
With that in mind, using PKCS1_v1_5 we can try to verify
header_base64 = token.split(".")[0]
payload_base64 = token.split(".")[1]
signature_base64 = token.split(".")[-1]
signature = base64.urlsafe_b64decode(maybe_pad(signature_base64))
hash_object ='' + header_base64 + b'.' + b'' + payload_base64)
verifier =
Notice here it is the hash object and not the digest that is supplied to verify
verified = verifier.verify(hash_object, signature)
print ("Signature verification result using PKCS1_v1_5: %s" % (verified))
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('--token', help='a JWT or JWS token.', required=True)
args = parser.parse_args()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment