Cognito JWT Authorize in ASP.NET Core 6 Web API

Yaron Published at Dev

502548928:

Yaron

How can I configure my ASP.NET Core 6 Web API controllers to use AWS Cognito authorization?

This is the code I wrote in my program.cs file:

var AWSconfiguration = builder.Configuration.GetSection("AWS:Cognito");
var userPoolId = AWSconfiguration["UserPoolId"];
var clientId = AWSconfiguration["ClientId"];
var region = AWSconfiguration["Region"];

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(options =>
{
    options.Authority = $"https://cognito-idp.{region}.amazonaws.com/{userPoolId}";
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuerSigningKey = true,
        ValidateIssuer = true,
        ValidateAudience = true,
        ValidIssuer = $"https://cognito-idp.{region}.amazonaws.com/{userPoolId}",
        ValidAudience = clientId,
        
    };
});

I'm getting this error:

www-authenticate: Bearer error="invalid_token",
error_description="The audience 'empty' is invalid"

I validated my clientID in the AWS console.

Thanks for the help

Gary Archer

Cognito access tokens don't have an audience claim - though ideally they should. In other authorization servers, APIs check the received access token has the expected logical name, such as api.mycompany.com.

For Cognito you will need to configure .NET to not validate the audience, similar to this. Other token validation parameters are derived from the metadata endpoint derived from the issuer base URL:

private void ConfigureOAuth(IServiceCollection services)
{
    services
        .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
        .AddJwtBearer(options =>
        {
            options.Authority = this.configuration.IssuerBaseUrl;
            options.TokenValidationParameters = new TokenValidationParameters
            {
                ValidateAudience = false,
            };
        });

    services.AddAuthorization(options => 
    {
        options.FallbackPolicy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().Build();
    });
}

The FallbackPolicy then ensures that authentication is applied globally, except for endpoints annotated with [AllowAnonymous].

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2023-06-5

Comments

0 comments

TOP Ranking

Article

Cognito JWT Authorize in ASP.NET Core 6 Web API

Cognito JWT Authorize in ASP.NET Core 6 Web API

pump.io port in URL

grouping by column variables and appending a new variable based on condition

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

Group boxplot data while keeping their individual X axis labels in ggplot2 in R

Vector input in shiny R and then use it

BigQuery - concatenate ignoring NULL

Can a 32-bit antivirus program protect you from 64-bit threats

How to remove the extra space from right in a webview?

How to how increase/decrease compared to adjacent cell

android.content.Context.getSharedPreferences(java.lang.String, int)' on a null object reference id DBhandler

Getting 502 Bad Gateway Error While Deploying WordPress On Dockerized Lemp?

Type 'number' is not assignable to type 'NgIterable<any>' when trying to async observe a datasource

Check if a number is a perfect square

FFmpeg resize without upscaling

How do I display Label text character-by-character?

How to show an image in a View with ASP.NET MVC 5? (Many suggestions failed so far)

Json Schema - Conditional Evaluation with RegEx

PlayOnLinux displays weird looking window on 18.04 for MS Office installation

JMeter: Why get error when try to save test plan

Emulator wrong screen resolution in Android Studio 1.3