6

I am using AWS Cognito for my web app.

I logged into my webapp and got the access / refresh tokens from browser dev mode.

The access token can be decoded on https://jwt.io/:

The header is

{
  "kid": "M+aYDxi5AeOrvlUkPyNA5GmA4V8ZdTPPnr5wO6M1neU=",
  "alg": "RS256"
}

The payload is:

{
  "origin_jti": "0cf3100a-bfdd-49e0-bae3-12345678",
  "sub": "1585d704-2985-4447-b265-12345678",
  "event_id": "ead55f68-59d0-4b7f-9bb8-123",
  "token_use": "access",
  "scope": "aws.cognito.signin.user.admin",
  "auth_time": 1646640361,
  "iss": "https://cognito-idp.ap-northeast-1.amazonaws.com/ap-northeast-1_123",
  "exp": 1646640661,
  "iat": 1646640361,
  "jti": "ea239510-8fd4-497d-b2ac-05a0377d63ef",
  "client_id": "123qwe",
  "username": "staff"
}

However, the refresh token is not properly decoded: header:

{
  "cty": "JWT",
  "enc": "A256GCM",
  "alg": "RSA-OAEP"
}

the payload is:

"v�zsV_%������$��\u0014���1��Z�c���hyE�\u0000�\u0001�9W����G�5���\n\nҴ�\t!8Mc\u0000~3}K�4��X=\"�%\u0015�2�\"S,��M��\u0000=S�\u0011r�*H9�}\u0002��t]�xU'�Lk��N\n�xB�Yg�`�m�\n�_�ey��j�o���_�lJ�e^�h\n=�\u001a�V7�!�]�5A\u0014\u0012(3��i(mu���\u0018�c�Y���ׁ��.VC��3�yk6��$b�X�5�C�Q�/���)���=\u001b|a�\u000b\f�\u0015/\u0005\u00057����aߨ`�B�.�\u000f�(]�\\�\u0007G�"

It looks like the algo for refresh token is RSA-OAEP and the https://jwt.io/ site does not support this algo yet.

Is there an online tool where I can get the refresh token properly decoded?

Improve this question
0

1 Answer 1

Reset to default
12

The refresh token payload is encrypted because it's not for you. Its contents are only meant for the authorization server, which will be able to decrypt it. You only use the refresh token to request a new access token when yours expires.

You can learn how to use the refresh token in the AWS docs, and get an overview of how they work on the OAuth site.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.