Graphql-engine: Error: Could not verify JWT: JWSError JWSInvalidSignature Hasura, Docker and Cognito

Created on 20 Feb 2020 · 8Comments · Source: hasura/graphql-engine

I'm developing an application in which I use AWS Cognito as authentication provider.
The Hasura Engine is configured in a docker-compose file and it runs in a AWS EC2 machine.

Following this tutorial https://hasura.io/blog/hasura-authentication-explained/#cognito I set HASURA_GRAPHQL_JWT_SECRET as shows below:

HASURA_GRAPHQL_JWT_SECRET: '{"type":"RS256","jwk_url":"https://cognito-idp.<region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json","claims_format":"stringified_json"}'

From the client, I get jwtToken from idToken and put it in authorization header:

{
  Authorization: 'Bearer <jwttoken>'
}

Then follows the error:

nhandled Rejection (Error): Could not verify JWT: JWSError JWSInvalidSignature: {"response":{"errors":[{"extensions":{"path":"$","code":"invalid-jwt"},"message":"Could not verify JWT: JWSError JWSInvalidSignature"}],"status":200}

I don't know if there is any error in my stringified jwks, is it the problem?

As told by @praveenweb in https://github.com/hasura/graphql-engine/issues/3513 I was careful about putting HASURA_GRAPHQL_JWT_SECRET value in a single quote.

auth question supporneeds-more-info

Source

lucasmachadorj

Most helpful comment

I am getting same error with firebase auth. After following this https://hasura.io/blog/authentication-and-authorization-using-hasura-and-firebase

Use case that is failing for me is following: I have hasura action that triggers firebase cloud function, within that unction I use firebases admin sdk to create new token https://firebase.google.com/docs/auth/admin/create-custom-tokens

I then try to make call to hasura and get same error

   const data = await fetch("https://api.dev/v1/graphql", {
      method: "POST",
      body: JSON.stringify({ query }),
      headers: {
        Authorization: `Bearer ${token}`,
      },
    });

Admin is configured for same project as project id set in hasura HASURA_GRAPHQL_JWT_SECRET I'm not sure if this is related but data here https://firebase.google.com/docs/auth/admin/create-custom-tokens#web looks different to whats in that blog post

IljaDaderko on 12 May 2020

👍2

All 8 comments

@lucasmachadorj Can you check what type of JWT is being generated by Cognito? Is it type: RS256 ? Or something else?

tirumaraiselvan on 24 Feb 2020

Aren't Cognito JWTs always RS-256?

From here: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-verifying-a-jwt.html#amazon-cognito-user-pools-using-tokens-step-2

User pools use an RS256 cryptographic algorithm, which is an RSA signature with SHA-256.

thinknirmal on 6 May 2020

Also, you do not need type key in JWT config if jwk_url is being used since v1.2. So, this issue needs more info. For e.g you can use jwt.io to decode/verify a sample jwt generated by cognito.

tirumaraiselvan on 11 May 2020

I am getting same error with firebase auth. After following this https://hasura.io/blog/authentication-and-authorization-using-hasura-and-firebase

I then try to make call to hasura and get same error

   const data = await fetch("https://api.dev/v1/graphql", {
      method: "POST",
      body: JSON.stringify({ query }),
      headers: {
        Authorization: `Bearer ${token}`,
      },
    });

IljaDaderko on 12 May 2020

👍2

Something that solved for me today is I was copying the access_token too instead of just the id_token in the response. Once I removed the part after &access_token= it worked.

Screen Shot 2020-07-03 at 3 23 37 PM

productlabs on 3 Jul 2020

❤1

I'm having the same issue with Cognito + Hasura as OP after following the same tutorial directions. I've verified that my token is valid using jwt.io, is RS256, and that the HASURA_GRAPHQL_JWT_SECRET environment variable is set. I'm running Hasura v1.1 so I'm still including the type property in the environment var as described in the tutoral. Removing the type property causes Hasura to return a 503 when making requests.

Any additional debugging suggestions would be greatly appreciated.

soulfresh on 8 Aug 2020

I was able to resolve my issues by a combination of pressing all the Heroku buttons and regenerating the access token. My guess is that regenerating the access token was what actually fixed my issues. We also upgraded to Hasura 1.3 and removed new line characters from the HASURA_GRAPHQL_JWT_SECRET env var.

soulfresh on 19 Aug 2020

I'm facing the same issue now. If i use cognito for javascript (web app), hasura could verify my JWT, but if i use cognito for mobile app, hasura could not verify the JWT.

Could someone help me please? Is there any different between setting up web app and mobile app?