graphql-engine: Error: Could not verify JWT: JWSError JWSInvalidSignature Hasura, Docker and Cognito

I’m developing an application in which I use AWS Cognito as authentication provider. The Hasura Engine is configured in a docker-compose file and it runs in a AWS EC2 machine.

Following this tutorial https://hasura.io/blog/hasura-authentication-explained/#cognito I set HASURA_GRAPHQL_JWT_SECRET as shows below:

HASURA_GRAPHQL_JWT_SECRET: '{"type":"RS256","jwk_url":"https://cognito-idp.<region>.amazonaws.com/<user-pool-id>/.well-known/jwks.json","claims_format":"stringified_json"}'

From the client, I get jwtToken from idToken and put it in authorization header:

{
  Authorization: 'Bearer <jwttoken>'
}

Then follows the error:

nhandled Rejection (Error): Could not verify JWT: JWSError JWSInvalidSignature: {"response":{"errors":[{"extensions":{"path":"$","code":"invalid-jwt"},"message":"Could not verify JWT: JWSError JWSInvalidSignature"}],"status":200}

I don’t know if there is any error in my stringified jwks, is it the problem?

As told by @praveenweb in https://github.com/hasura/graphql-engine/issues/3513 I was careful about putting HASURA_GRAPHQL_JWT_SECRET value in a single quote.

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 4
  • Comments: 16 (2 by maintainers)

Most upvoted comments

I am getting same error with firebase auth. After following this https://hasura.io/blog/authentication-and-authorization-using-hasura-and-firebase

Use case that is failing for me is following: I have hasura action that triggers firebase cloud function, within that unction I use firebases admin sdk to create new token https://firebase.google.com/docs/auth/admin/create-custom-tokens

I then try to make call to hasura and get same error

   const data = await fetch("https://api.dev/v1/graphql", {
      method: "POST",
      body: JSON.stringify({ query }),
      headers: {
        Authorization: `Bearer ${token}`,
      },
    });

Admin is configured for same project as project id set in hasura HASURA_GRAPHQL_JWT_SECRET I’m not sure if this is related but data here https://firebase.google.com/docs/auth/admin/create-custom-tokens#web looks different to whats in that blog post

+6
xzilja on May 12, 2020

Something that solved for me today is I was copying the access_token too instead of just the id_token in the response. Once I removed the part after &access_token= it worked.

Screen Shot 2020-07-03 at 3 23 37 PM
+3
productlabs on Jul 3, 2020
Read more comments on GitHub
← graphql-engine: Error: Cannot use database previously used with a newer version of graphql-engine (expected a catalog version <=36, but the current version is 37). , code : not-supported
graphql-engine: Error on voyager view →