Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Two methods/examples of how to decode and verify the signature of AWS cognito JWT web tokens externally. This uses RSA key pair and alternatively PKCS1_v1_5. See for example of signing and verification by downloading an ISSUERS PKI SSL certificate from the signers website, and h…
#!/usr/bin/env python
import os
import time
import json
import base64
import requests
import argparse
from base64 import urlsafe_b64decode, b64decode
from Crypto.Hash import SHA256, SHA512
from Crypto.Signature import PKCS1_v1_5
from Crypto.PublicKey import RSA
from Crypto.Util.number import bytes_to_long
import jwt
Two methods/examples of how to decode and verify the signature of AWS cognito JWT web tokens externally
def maybe_pad(s):
return (s + '=' * (4 - len(s) % 4))
def get_token_segments(token):
A valid token will have at least two seqments. Segments are delimited by
a period '.'
header, payload, signature = token.split(".")
The JWT spec tells us the header MUST be urlsafe B64 encoded. Decode it
but first add any padding (by adding one or more =) that may be needed
Get the header json object that was stringified, it will be returned a
string of bytes
header_json_str = urlsafe_b64decode(maybe_pad(header))
get the payload json object that was stringified, it will be returned a
string of bytes
payload_json_str = urlsafe_b64decode(maybe_pad(payload))
get the signature that was stringified, it will be returned a string of
bytes. It is not an object but rather the signature byte string, so full
of non printable characters
signature_bytes = urlsafe_b64decode(maybe_pad(signature))
convert header and payload back into objects. The signature is already
a byte string
NB: The order of the keys in the dict/object that results from the
json.loads call will not be ordered in any way so watch out if you
expect the transformations to be reversable
object -> json.dumps -> string <==> string -> json.loads -> object
This can trip you up if you decode a header and payload, then try to recode
it and expect the signature to work out.
header_json = json.loads(header_json_str, 'utf-8')
payload_json = json.loads(payload_json_str, 'utf-8')
return header_json, payload_json, signature_bytes
def get_EXP(token):
payload_json = get_token_segments(token)[1]
exp = payload_json['exp']
print "Time now: %s" % (time.strftime('%Y-%m-%d %H:%M:%S',
print "Expires: %s" % (time.strftime('%Y-%m-%d %H:%M:%S',
return exp
def get_AUD(token):
payload_json = get_token_segments(token)[1]
aud = payload_json['aud']
return aud
def get_ISS(token):
payload_json = get_token_segments(token)[1]
iss = payload_json['iss']
return iss
def get_ALG(token):
header_json = get_token_segments(token)[0]
alg = header_json['alg']
return alg
def get_KID(token):
header_json = get_token_segments(token)[0]
kid = header_json['kid']
return kid
def get_modulus_and_exponant(jwk_sets, kid, algorithm, force_fail=False):
print("Looking for kid=%s algo=%s in the jwt key sets" % (kid, algorithm))
for jwks in jwk_sets['keys']:
if (force_fail and jwks['kid'] != kid) or (jwks['kid'] == kid and
jwks['alg'] == algorithm):
e_b64 = jwks['e']
n_b64 = jwks['n']
e_bytes = b64decode(e_b64)
n_bytes = b64decode(n_b64)
exponant = bytes_to_long(e_bytes)
modulus = bytes_to_long(n_bytes)
return modulus, exponant
def get_jwks_json(token):
iss = get_ISS(token)
url = "%s%s" % (iss, '/.well-known/jwks_uri')
print("jwks_uri url: %s" % url)
hfn =
if not os.path.exists("/tmp/%s" % (hfn)):
r = requests.get(url)
if r.status_code == 200:
with open("/tmp/%s" % (hfn), "w") as outfile:
return r.json()
with open("/tmp/%s" % (hfn), "r") as infile:
return json.loads(
def construct_RSA_publickey(exponant, modulus):
publicKey = RSA.construct((exponant, modulus))
return publicKey.publickey().exportKey(), publicKey.publickey()
def main(token):
u""" the upstream base64 decode routines expect sr types so convert if needed """
if type (token) = unicode:
token = token.encode('utf-8')
Extract the KeyID and some other useful information to validate the token.
Note: For other than this demo case, in real world uses we would obviously not
check the validity of AUD, ISS against itself but rather values you expect
kid = get_KID(token)
alg = get_ALG(token)
aud = get_AUD(token)
The AWS Cognito JWT is digitally signed by the private key
half of the ISSUERS RSA key pair. We can find who the ISSUER
was by looking for the 'iss' key in payload. To verify the token
signature there are a few basic steps.
Step 1:
Get the corrosponding Public Key half of the RSA key pair that
signed the token.
We get it from the URL addressed via:
ISS + '/.well-known/jwks_uri'
jwk_sets = get_jwks_json(token)
The particular key we want is the key set that matches the 'kid' in the
token header. It'll look something like this:
"kty": "RSA",
"alg": "RS512",
"use": "sig",
"kid": "ap-southeast-22",
"n": "AJZzNUBnF1H6rFFiqJbiziWW7VVbyo............Ws35b7",
"e": "AQAB"
Step 2:
Note the key type and hash algorithm. Extract the modulus
(the n value) and the exponant (the e value) from the key set
modulus, exponant = get_modulus_and_exponant(jwk_sets, kid, alg)
u""" Using the modulus and exponant construct the Public key and
return it in PEM format. It will look something like this:
-----END PUBLIC KEY-----
pem, publicKey = construct_RSA_publickey(modulus, exponant)
Step 3a
Using the pyjwt module we can now try to decode & verify the token
#pip install pyjwt
Use the correct AUD, PEM etc., values below as required. In this case they will
always be right because we just extrated from the token itself.
payload_decoded_and_verified = jwt.decode(token, pem, audience=aud,
algorithms=[alg], verify=True)
possible errors/exceptions from pyjwt
jwt.exceptions.ExpiredSignatureError: Signature has expired
see the u'exp': 1483323209 value in the payload
jwt.exceptions.DecodeError: Signature verification failed
if payload_decoded_and_verified:
print ("verify successful.\npayload:\n%s\n" %
print ("verify failed")
Or, alternatively, using the PKCS1_v1_5 module you can also verify it.
Step 3b
Note: One thing to watch out for here is that the order of the keys in the
header payload matters, so if you decode a header from a token to a dict eg
dict = json.loads(base64.urlsafe_b64decode(header)) and then encode it back
the order of the keys may be different as a python dict is unordered
With that in mind, using PKCS1_v1_5 we can try to verify
header_base64 = token.split(".")[0]
payload_base64 = token.split(".")[1]
signature_base64 = token.split(".")[-1]
signature = base64.urlsafe_b64decode(maybe_pad(signature_base64))
hash_object ='' + header_base64 + b'.' + b'' + payload_base64)
verifier =
Notice here it is the hash object and not the digest that is supplied to verify
verified = verifier.verify(hash_object, signature)
print ("Signature verification result using PKCS1_v1_5: %s" % (verified))
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('--token', help='a JWT or JWS token.', required=True)
args = parser.parse_args()
Copy link

richmondwang commented Mar 2, 2017

Or you can also use python-jose package :)

Copy link

bjinwright commented Mar 2, 2017

@richmondwang Can you post a gist of doing this with python-jose using a RSA key as used with AWS Cognito?

Copy link

richmondwang commented Mar 31, 2017


Sorry for the very late reply. But here is my simple Gist for doing this in Python Jose package.

You can get your JWK Set by using your token issuer and appending .well-known/jwks.json, for example

The KeyId you are using in decoding the token should match the kid in the token headers because that is its public rsa key.

Copy link

jdalegonzalez commented Apr 21, 2017

@bjinwright, @richmondwang

Thanks for the python-jose gist. I went ahead and implemented the rest of the things necessary to perform the validation of AWS tokens (getting the JWK set from AWS, pulling the kid from the token, multiple ways of finding the client_id for the audience, etc..)

Result is here:

Comments wecome

Copy link

ispulkit commented Jan 10, 2018

Copy link

kyeljmd commented Mar 3, 2018

@richmondwang How do you perform verification of signature? I do not think it is safe to decode a jwt token that comes from unverified sources

Copy link

jagadish432 commented Dec 19, 2019

I am getting "incorrect padding" while doing n_bytes=base64decode(n_64), so I tried in 2 ways:
a) added padding using
missing_padding = len(n_b64)%4
if missing_padding:
n_b64 += '=' * (4-missing_padding)
b) n_bytes = bytes(n_64, 'utf-8')

but no matter which step I follow, it is failing in jwt.decode() step stating "Invalid signature".

Error screenshot:

In the screenshot, I didn't pass the "aud", but I also tried that and it got failed.
Note: For the "aud", I am using payload['sub'] because I am not receiving "aud" in my JWT token.

Copy link

jonathanabila commented Mar 20, 2020

@jagadish432 did you manage to solve? I'm having the same problems: /

Copy link

jagadish432 commented Mar 21, 2020

@jagadish432 did you manage to solve? I'm having the same problems: /

@jonathanabila yes I used the below settings to make it work, let me know if you need any more info.

self.jwtOptions = {
'verify_signature': True,
'verify_exp': True,
'verify_iat': True,
'verify_aud': False
payload_decoded_and_verified = jwt.decode(accessToken, key=self.pem, algorithms=[self.header['alg']],
verify=True, options=self.jwtOptions)

Copy link

thambrick commented Feb 28, 2021

Is there an easy way to get past this error: "Unable to import module 'lambda_function': No module named 'jose'"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment