JWTVerifier alternatives #419
Comments
|
@kuma-guy - Apologies for that! It looks like that was not updated since the latest major release. You can see how it works in the SDK here: https://github.com/auth0/auth0-PHP/blob/master/src/Auth0.php#L645-L670 But, in short, your code should look about like this, assuming you're working with an RS256 token and are checking for a nonce: $jwksFetcher = new JWKFetcher($this->cacheHandler, $this->guzzleOptions);
$jwks = $jwksFetcher->getKeys(JWKS_URL_HERE);
$sigVerifier = new AsymmetricVerifier($jwks);
$idTokenVerifier = new IdTokenVerifier(TOKEN_ISSUER_HERE, $this->clientId, $sigVerifier);
$decodedToken = $idTokenVerifier->verify($idToken, ['nonce' => NONCE_VALUE_HERE]);I'll make sure the docs get updated ASAP. Thank you for the report! |
|
@joshcanhelp Thank you for the explanation and updating the docs! |
|
I'm sorry to ask you again. I notice that On the other hand, updated document set client_id . Are client_id and audience same? |
|
No apology needed, we're here to help!
The audience of a JWT depends on the context. If you are an application and you're validating an ID token for the purpose of signing in, then the audience will be the client ID (the ID token was generated for that specific application). If you are an API accepting JWT-formatted access tokens (like the ones that Auth0 generates), then the audience will be the |
|
So |
Can you explain this a bit more? I'm not following what the use case is here. But, to explain the change here ... ID tokens should only be validated by the application (Client) that's being signed into. Access tokens should only be validated by the API (Resource) that's receiving them. If you have a token of either kind that's being validated by two entities, then there might be a problem with how your solution is architected. |
I have two APIs developed by different teams (API 1 and API 2). Additionally we have a SPA (Frontend). Both APIs (M2M applications) are "grouped" into an Auth0 API (so they have the same audience). However the frontend (Auth0 SPA application) has a different audience. So when the frontend is calling API 1, API 1 needs to check for the audience of the frontend token, but API 1 is also called by API 2 which has a different audience. This wasn't a problem in the past because there was a field in the config |
I'm still confused here. The API that's being called should be receiving access tokens with itself as the audience. Different applications calling the same API should be requesting access tokens with the API's audience. |
|
Actually we do that already from the frontend: But the idToken has the SPA CLIENT ID as an audience. So to not confuse you: Yes API 1 and API 2 have the same audience, the problem is the audience of the frontend idTokens. |
|
Your API should be accepting access tokens generated for that API, not ID tokens generated for your applications. Your API should not need to be aware of the applications that call it and ID tokens should not be sent to other entities. I would take a look at our API documentation for more detailed guidance or our recommended way to architect this: |
|
This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Document says that JWTVerifier is used to decod token, but the current version has no JWTVerifier. How can I decode token?
https://auth0.com/docs/libraries/auth0-php/jwt-validation
The text was updated successfully, but these errors were encountered: