docs: document known issue of invalid JWT padding by AWS Cognito + ELB

PR-URL: https://github.com/hasura/graphql-engine-mono/pull/10919
GitOrigin-RevId: 682d3918a3f018fd6c7d1d6a2b9ecdb6fca66df1

docs/docs/auth/authentication/jwt.mdx

@@ -741,15 +741,23 @@ Once authenticated, all operations are allowed without further check, until the
 
 ## Popular providers and known issues
 
+### AWS Cognito
+
+AWS Cognito and ELB (Elastic Load Balancer) has a known issue where it adds additional padding
+(using = characters) to the JWT token that is generated from Cognito.
+
+This is a known issue and is documented by AWS in [their
+docs](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html#user-claims-encoding):
+
+> Standard libraries are not compatible with the padding that is included in the Application Load
+> Balancer authentication token in JWT format.
+
+Currently, there is no workaround possible in Hasura. Even if Hasura strips the additional padding
+the signature verification of the token would fail (as Hasura had to tamper the token).
+
 ### Firebase
 
-This page of the Firebase
-[docs](https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library)
-mentions that JWKs are published under:
-
-[https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com](https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com)
-
-But that is a non-standard format. Firebase also publishes the same certificates as the proper JWK format under:
+Firebase publishes the JWKs at:
 
 [https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com](https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com)
 
@@ -768,46 +776,6 @@ If you are using Firebase and Hasura, use this config:
 Refer to the [Auth0 JWT Integration tutorial](https://hasura.io/learn/graphql/hasura-authentication/integrations/auth0/)
 for a detailed guide on integrating Auth0 with Hasura.
 
-Auth0 publishes their JWK under:
-
-`https://<your-auth0-domain>.auth0.com/.well-known/jwks.json`
-
-But they have a
-[bug where the certificate thumbprint does not match](https://community.auth0.com/t/certificate-thumbprint-is-longer-than-20-bytes/7794/3).
-Hence, currently this URL does not work with Hasura.
-
-Current workaround is - download the X590 certificate from:
-
-`https://<your-auth0-domain>.auth0.com/pem`
-
-And use it in the `key` field:
-
-```json
-{
-  "type":"RS512",
-  "key": "-----BEGIN CERTIFICATE-----
-MIIDDTCAfWgAwIBAgIJhNlZ11IDrxbMA0GCSqSIb3DQEBCwUAMCQxIjAgBgNV
-BAMTGXlc3QtaGdlLWp3C5ldS5hdXRoMC5jb20HhcNMTgwNzMwMTM1MjM1WhcN
-MzIwND3MTM1MjM1WjAkSIwIAYDVQQDExl0ZXNLWhnZS1qd3QuZXUuYXV0aDAu
-Y29tMIBIjANBgkqhkiGw0BAQEFAAOCAQ8AMIICgKCAQEA13CivdSkNzRnOnR5
-ZNiReD+AgbL7BWjRiw3RwjxRp5PYzvAGuj94yR6LRh3QybYtsMFbSg5J7fNq6
-Ld6yMpMrUu8CBOnYY456b/2jlf+Vp8vEQuKvPOOw8Ev6x7X3blcuXCELSwyL3
-AGHq9OP2RV6V6CIE863zzuYH5HDLzU35oMZqogJVRJM0+6besH6TnSTNiA7xi
-BAqFaiRNQRVi1CAUa0bkN1XRp4AFy7d63VldOsM+8QnCNHySdDr1XevVuq6DK
-LQyGexFy4niALgHV0Q7A+xP1c2G6rJomZmn4j1avnlBpU87E58JMrRHOCj+5m
-Xj22/QDAQABo0IwQDAPgNVHRMBAf8EBTADAQHMB0GA1UdDgQWBBT6FvNkuUgu
-tk3OYQi4lo5aOgwazAOgNVHQ8BAf8EBAMCAoQDQYJKoZIhvcNAQELBQADggEB
-ADCLj+L22pEKyqaIUlhUJh7DAiDSLafy0fw56CntzPhqiZVVRlhxeAKidkCLV
-r9IEbRuxUoXiQSezPqM//9xHegMp0f2VauVCFg7EpUanYwvqFqjy9LWgH+SBz
-4uroLSZ5g1EPsHtlArLChA90caTX4e7Z7Xlu8G2kHRJB5nC7ycdbMUvEWBMeI
-tn/pcbmZ3/vlgj4UTEnURe2UPmSJpxmPwXqBcvwdKHRMgFXhZxojWCi0z4ftf
-f8t8UJIcbEblnkYe7wzYy8tOXoMMHqGSisCdkp/866029rJsKbwd8rVIyKNC5
-frGYaw+0cxO6/WvSir0eA=
------END CERTIFICATE-----
-"
-}
-```
-
 ### Clerk
 
 Clerk integrates with Hasura GraphQL Engine using JWTs.