jwt_auth_cognito 1.0.0.pre.beta.8 → 1.0.0.pre.beta.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +44 -0
- data/CLAUDE.md +1 -1
- data/README.md +3 -7
- data/lib/jwt_auth_cognito/jwks_service.rb +20 -30
- data/lib/jwt_auth_cognito/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 97be07f0c6be821ad157fcf5c6b7a173fc6866145d2b738481aaa3b912c39703
|
|
4
|
+
data.tar.gz: 28f5119547d00881a8ccb84be5ca584cf81394a4ba1ce86cf1d5306855037f15
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: e0d17203f3fdba6311fd43d56a451f4e454015f37ab91c7f1231ac334d2c8fb92b2c6fc05b08d109acd0386b3754fec1be1cc5b4bb5ae7e15e4483d9527f9d38
|
|
7
|
+
data.tar.gz: cc89ebd874a97fdac6fd6fe9c417d9e53f41658aab723a47e4df0c3551fe64dc447c507035d8daa42696a29f342a60d8c4a7987a5f880dd589d5ad41e8414805
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,50 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.0.0-beta.10] - 2025-01-23
|
|
11
|
+
|
|
12
|
+
### Fixed
|
|
13
|
+
|
|
14
|
+
- **Audience Validation**: Fixed overly strict audience validation for AWS Cognito access tokens
|
|
15
|
+
- Access tokens from Cognito typically don't include 'aud' claim, only ID tokens do
|
|
16
|
+
- Modified JWKS validation to only enforce audience checking for ID tokens (`token_use: 'id'`)
|
|
17
|
+
- Access tokens (`token_use: 'access'`) now skip audience validation as per AWS Cognito standards
|
|
18
|
+
- Resolves "Invalid audience. Expected [client_id], received <none>" error for access tokens
|
|
19
|
+
- Maintains proper security validation for ID tokens
|
|
20
|
+
|
|
21
|
+
### Improved
|
|
22
|
+
|
|
23
|
+
- **JWT Standards Compliance**: Enhanced compatibility with AWS Cognito token specifications
|
|
24
|
+
- Pre-decodes tokens to determine type before applying validation rules
|
|
25
|
+
- Follows AWS Cognito best practices for token type-specific validation
|
|
26
|
+
- Maintains backward compatibility with existing ID token validation
|
|
27
|
+
|
|
28
|
+
## [1.0.0-beta.9] - 2025-01-22
|
|
29
|
+
|
|
30
|
+
### Fixed
|
|
31
|
+
|
|
32
|
+
- **JWKS OpenSSL Compatibility**: Complete reimplementation of JWK handling to eliminate OpenSSL version compatibility issues
|
|
33
|
+
- Replaced manual JWK to PEM conversion with JWT gem's native JWK support
|
|
34
|
+
- Removed complex OpenSSL version-specific fallback logic (40+ lines → 8 lines)
|
|
35
|
+
- Eliminates "undefined method 'n=' for OpenSSL::PKey::RSA" and "set_key= is incompatible with OpenSSL 3.0" errors
|
|
36
|
+
- Uses `JWT::JWK.import()` for robust, library-managed key conversion
|
|
37
|
+
- Aligned approach with Node.js jwt-auth-package implementation for consistency
|
|
38
|
+
|
|
39
|
+
- **TLS Configuration**: Removed problematic TLS versioning from Redis SSL configuration
|
|
40
|
+
- Eliminated redis_tls_min_version and redis_tls_max_version parameters
|
|
41
|
+
- Simplified SSL configuration to focus on certificate validation and verify mode
|
|
42
|
+
- Resolves "unrecognized version TLSv1_2" errors
|
|
43
|
+
- Maintains backward compatibility with existing Redis SSL setups
|
|
44
|
+
|
|
45
|
+
### Improved
|
|
46
|
+
|
|
47
|
+
- **Code Quality**: Significantly simplified and more maintainable JWKS implementation
|
|
48
|
+
- Reduced complexity and eliminated OpenSSL version-specific code paths
|
|
49
|
+
- Better error handling with specific JWT::JWKError exceptions
|
|
50
|
+
- Enhanced reliability by leveraging well-tested JWT gem capabilities
|
|
51
|
+
- All tests passing (74 examples, 0 failures)
|
|
52
|
+
- RuboCop compliant with no style violations
|
|
53
|
+
|
|
10
54
|
## [1.0.0-beta.6] - 2025-01-22
|
|
11
55
|
|
|
12
56
|
### Fixed
|
data/CLAUDE.md
CHANGED
|
@@ -304,7 +304,7 @@ JWKS_CACHE_TTL=3600 # 1 hour
|
|
|
304
304
|
|
|
305
305
|
## Version Compatibility
|
|
306
306
|
|
|
307
|
-
### ✅ **Updated January 2025 - Version 1.0.0-beta.
|
|
307
|
+
### ✅ **Updated January 2025 - Version 1.0.0-beta.10**
|
|
308
308
|
|
|
309
309
|
**Stable production-ready beta with complete pipeline compatibility**
|
|
310
310
|
|
data/README.md
CHANGED
|
@@ -5,7 +5,7 @@ Una gema Ruby para validar tokens JWT de AWS Cognito de forma offline con funcio
|
|
|
5
5
|
## Características
|
|
6
6
|
|
|
7
7
|
- **Validación JWT Offline**: Valida tokens JWT de Cognito sin llamar a las APIs de AWS
|
|
8
|
-
- **Soporte JWKS**: Recuperación automática y cache de claves públicas desde el endpoint JWKS de Cognito
|
|
8
|
+
- **Soporte JWKS**: Recuperación automática y cache de claves públicas desde el endpoint JWKS de Cognito con compatibilidad total OpenSSL
|
|
9
9
|
- **Blacklist de Tokens**: Gestión de revocación y blacklist de tokens basada en Redis con soporte TLS completo
|
|
10
10
|
- **Configuración Flexible**: Soporte para modos de validación seguro (producción) y básico (desarrollo)
|
|
11
11
|
- **Gestión de Tokens de Usuario**: Rastrear e invalidar todos los tokens de un usuario específico
|
|
@@ -53,9 +53,7 @@ JwtAuthCognito.configure do |config|
|
|
|
53
53
|
config.redis_ssl = true
|
|
54
54
|
config.redis_ca_cert_path = 'redis' # AWS SSM path
|
|
55
55
|
config.redis_ca_cert_name = 'ca-cert' # AWS SSM parameter name
|
|
56
|
-
config.
|
|
57
|
-
config.redis_tls_max_version = 'TLSv1.3'
|
|
58
|
-
config.redis_verify_mode = 'peer'
|
|
56
|
+
config.redis_verify_mode = 'peer' # 'peer' para validación estricta, 'none' para desarrollo
|
|
59
57
|
|
|
60
58
|
# Opcional: Configuraciones de cache y validación
|
|
61
59
|
config.jwks_cache_ttl = 3600 # 1 hora
|
|
@@ -88,9 +86,7 @@ REDIS_TLS=true
|
|
|
88
86
|
# Configuración TLS de Redis (compatible con auth-service)
|
|
89
87
|
REDIS_CA_CERT_PATH=redis # Para AWS SSM (path del parámetro)
|
|
90
88
|
REDIS_CA_CERT_NAME=ca-cert # Para AWS SSM (nombre del parámetro)
|
|
91
|
-
|
|
92
|
-
REDIS_TLS_MAX_VERSION=TLSv1_3
|
|
93
|
-
REDIS_VERIFY_MODE=peer
|
|
89
|
+
REDIS_VERIFY_MODE=peer # 'peer' para validación estricta, 'none' para desarrollo
|
|
94
90
|
|
|
95
91
|
# Configuración de cache
|
|
96
92
|
JWKS_CACHE_TTL=3600
|
|
@@ -23,6 +23,13 @@ module JwtAuthCognito
|
|
|
23
23
|
raise ValidationError, 'Token missing key ID (kid)' unless kid
|
|
24
24
|
|
|
25
25
|
public_key = get_public_key(kid)
|
|
26
|
+
# First decode to check token type before audience validation
|
|
27
|
+
payload_preview = JWT.decode(token, nil, false).first
|
|
28
|
+
|
|
29
|
+
# Only verify audience for ID tokens, not access tokens
|
|
30
|
+
# Access tokens from Cognito might not have 'aud' claim
|
|
31
|
+
should_verify_aud = @config.cognito_client_id && payload_preview['token_use'] == 'id'
|
|
32
|
+
|
|
26
33
|
decoded_token = JWT.decode(
|
|
27
34
|
token,
|
|
28
35
|
public_key,
|
|
@@ -31,8 +38,8 @@ module JwtAuthCognito
|
|
|
31
38
|
algorithm: 'RS256',
|
|
32
39
|
iss: @config.cognito_issuer,
|
|
33
40
|
verify_iss: true,
|
|
34
|
-
aud: @config.cognito_client_id,
|
|
35
|
-
verify_aud:
|
|
41
|
+
aud: should_verify_aud ? @config.cognito_client_id : nil,
|
|
42
|
+
verify_aud: should_verify_aud
|
|
36
43
|
}
|
|
37
44
|
)
|
|
38
45
|
|
|
@@ -66,8 +73,8 @@ module JwtAuthCognito
|
|
|
66
73
|
|
|
67
74
|
raise ValidationError, 'Key ID not found in JWKS' unless key_data
|
|
68
75
|
|
|
69
|
-
# Convert JWK to
|
|
70
|
-
public_key =
|
|
76
|
+
# Convert JWK to key using JWT gem's native support
|
|
77
|
+
public_key = jwk_to_key(key_data)
|
|
71
78
|
|
|
72
79
|
# Cache the key
|
|
73
80
|
@cache[kid] = public_key
|
|
@@ -93,33 +100,16 @@ module JwtAuthCognito
|
|
|
93
100
|
raise ValidationError, "Failed to fetch JWKS: #{e.message}"
|
|
94
101
|
end
|
|
95
102
|
|
|
96
|
-
def
|
|
97
|
-
#
|
|
98
|
-
|
|
99
|
-
e = base64url_decode(key_data['e'])
|
|
100
|
-
|
|
101
|
-
# Create RSA key using method compatible with OpenSSL 3.0+
|
|
102
|
-
n_bn = OpenSSL::BN.new(n, 2)
|
|
103
|
-
e_bn = OpenSSL::BN.new(e, 2)
|
|
104
|
-
|
|
105
|
-
# Use the new constructor that accepts modulus and exponent
|
|
106
|
-
key = OpenSSL::PKey::RSA.new
|
|
107
|
-
|
|
108
|
-
# For OpenSSL 3.0+ compatibility, use set_key method if available
|
|
109
|
-
if key.respond_to?(:set_key)
|
|
110
|
-
key.set_key(n_bn, e_bn, nil)
|
|
111
|
-
else
|
|
112
|
-
# Fallback for older OpenSSL versions
|
|
113
|
-
key.n = n_bn
|
|
114
|
-
key.e = e_bn
|
|
115
|
-
end
|
|
116
|
-
|
|
117
|
-
key
|
|
118
|
-
end
|
|
103
|
+
def jwk_to_key(key_data)
|
|
104
|
+
# Use JWT gem's native JWK support instead of manual OpenSSL conversion
|
|
105
|
+
# This eliminates OpenSSL version compatibility issues
|
|
119
106
|
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
107
|
+
jwk = JWT::JWK.import(key_data)
|
|
108
|
+
jwk.keypair
|
|
109
|
+
rescue JWT::JWKError => e
|
|
110
|
+
raise ValidationError, "Invalid JWK format: #{e.message}"
|
|
111
|
+
rescue StandardError => e
|
|
112
|
+
raise ValidationError, "Failed to convert JWK to key: #{e.message}"
|
|
123
113
|
end
|
|
124
114
|
|
|
125
115
|
def cache_valid?(kid)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: jwt_auth_cognito
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.0.0.pre.beta.
|
|
4
|
+
version: 1.0.0.pre.beta.10
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- The Optimal
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2025-09-
|
|
11
|
+
date: 2025-09-23 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: aws-sdk-ssm
|