Overriding AuthenticateAttribute to use AWS Congito generated JWT token

We are currently using AWS Cognito for authentication.

Is it possible to override (or build our own RequestFilter) to wrap validating of the AWS generated token to verify/decorate requests?

Not sure if this is the right approach but it would seem unnecessary to rely on IAuthSession to maintain AWS token information as it will be passed in as a bearer token to each request.

The appropriate approach would be to create a Cognito Auth Provider that parses the Token and populates a partial User Session based on info contained in the token. You should also populate the FromToken property to indicate it’s a partial User Session.

Have a look at the JwtAuthProviderReader which is an essentially doing the same thing or populating a partially populated UserSession from information contain in the token in the IAuthWithRequest PreAuthenticate() method:

Thank you!!

Not really a question, just a comment:

It seems this approach has opened up an internal debate (at my current company) about using sessions for REST. It seems to be there is a school of thought that the API shouldn’t maintain state. I personally think there is a trade-off especially where performance is concerned but that is for another day.

I am going to take a different approach as a POC which employs a Custom Request Filter that validates the signature and claims of the incoming access token from AWS Cognito. This is just takes care of authentication - Authorization/Roles will need further consideration.

I’ll be interested if you implement a generic solution as I may be able to wrap it in an Aws Cognito Auth Provider that others can easily use.