Skip to content

Stage 5 — Verify Authentication End-to-End

How to complete this stage

Confirm that users can log in, receive a token, and that the access service can read identity and group information from that token. Open a new terminal for this stage. Environment variables are not shared between terminals.

Approach and rationale

This stage proves that identity is working correctly before introducing data or access control. If this stage fails, later steps will fail in harder-to-diagnose ways. You are verifying that:

  • A user can authenticate successfully.
  • A valid JWT can be issued.
  • The access service can read identity and group membership from the token.
  • The identity provider exposes signing keys (JWKS) for token verification.

5.1 Re-export required variables

Ensure the following variables are set in this terminal. These must match the values created earlier.

export USER_POOL_ID="local_XXXXXXXX"
export CLIENT_ID="YOUR_CLIENT_ID"
export COGNITO_ADMIN_PASSWORD="<the password you chose earlier>"

Replace the placeholder values with your actual values. The token-fetching scripts rely on these variables to authenticate against the correct user pool and app client.

5.2 Obtain an ID token

Fetch an ID token for a test user. This token represents a successful login. From the ianode-access directory:

cd ~/src/ianode-access
source cognito-local/fetch_id_token.sh

To fetch a token for a specific user (for example, an admin user):

source cognito-local/fetch_id_token.sh "test+user+admin@ndtp.co.uk"

If successful, the script will export a variable named:

  • COGNITO_ID_TOKEN

5.3 Verify the token using the access service

Call the /whoami endpoint using the token you just fetched:

curl -H "Authorization: bearer $COGNITO_ID_TOKEN" http://localhost:8091/whoami
Expected behaviour

The response should return user details, including:

  • Identity information
  • Group membership
  • Resolved attributes

5.4 Verify signing keys (JWKS) are available

Fetch the JSON Web Key Set (JWKS) published by the identity provider. The IA node uses this endpoint to verify token signatures.

curl "http://localhost:9229/${USER_POOL_ID}/.well-known/jwks.json"
Expected behaviour

The endpoint should return JSON containing signing keys. If this endpoint does not return valid JSON, token verification will fail later even if login appears to work.

5.5 Checkpoint

At the end of this stage:

  • An ID token can be issued successfully.
  • The /whoami endpoint returns user details when called with a token.
  • The JWKS endpoint returns valid JSON.

If all three are true, identity and authentication are working correctly. Do not proceed until this checkpoint passes.

Next Steps

Proceed to Build IA Node Components