How To Verify Access Token on Server

Question

So I want to create a game, but I don't want to store user sensitive data on my server (due to new laws ... etc). So I thought cognito might work out well. I read this article of a possible setup https://aws.amazon.com/blogs/gametech/how-to-set-up-player-authentication-with-amazon-cognito/. So I am trying to setup authentification were the client fetches tokens from cognito, and then the server will allow the user call certain functions if it can verify that token.

One thing that confused me is that in the c++ code sample they provided is they verified the client obtained access_token by calling getUserRequest.SetAccessToken(accessToken); to set and ultimately verify the token on the server. Well, in my server I am using php, and I cannot find anything in the sdk to set the access token like this (I looked here https://github.com/aws/aws-sdk-php/tree/master/src). However after doing some research on verifying access_tokens from cognito, I found this article https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html. This article states that access tokens are just JWTs, and you could verify them with a 3rd party JWT library. So I am a little confused... Should I find a function in the aws sdk that verifies the access token on the server, or should I just verify the JWT on its own? In the c++ example, the server also set up a cognito client, is this required to ensure the token is refreshed when it expires?

Thanks for any help.

Answer 1

You can use the getUser method in the amazon PHP SDK

https://docs.aws.amazon.com/cognito-user-identity-pools/latest/APIReference/API_GetUser.html

Example:

$client = new CognitoIdentityProviderClient([
    'version' => '2016-04-18',
    'region' => '<aws region>',
]);

try {
    $user = $client->getUser([
        'AccessToken' => '<access_token>',
    ]);
} catch (\Aws\CognitoIdentityProvider\Exception\CognitoIdentityProviderException $e) {
    var_dump($e);
}