How does Slash GraphQL Verify JWTs (Cognito)

I’m quite honestly quite new to auth related things so apologies in advanced. I understand that JWTs contain claims as to who they are and there roles. Im not sure how the signer of the JWT gets verified however. I’m attempting to use with AWS Cognito.

A JWT claims object is generated after a user has been authenticated through some kind of user verification process (password, integrated platform) that identifies the user.

The claims object is prefixed with information containing how the claims should be signed.

Then using a private key the claims is signed and these three parts are combined together to make the JWT.

On Dgrqph’s side receiving the JWT:

It can take the claims section and decode it back to the original.

It then uses the same prefix data and its copy of the private key to sign the claims and generate a signature. It then compares the incoming signature vs its generated signature to see if it matches.

Before it does this though, Dgraph will check the expiration and the audience if provided.

Does that sum it up enough?

2 Likes

Yes it does I just read the overview section.

# Dgraph.Authorization {"VerificationKey":"","Header":"","Namespace":"","Algo":"","Audience":[]}

Was what I was looking for.

Thanks @amaster507 for answering this :slight_smile: