Auth0 returns a JWT token
- JSON that contains information about a user
- No need to send a request to Auth0 to verify JWT
- What pervents anyone to generate it?
The JWT token return by Auth0 are signed by Auth0 as well.
- We can just verify the signature
OAuth allows to use one of the two algorithms that it can use to sign a JWT token:
Symmetric (HS256)
- The same key for signing a token (by Auth0) and verifying a token (by our application)
- We need to store a key securely
- If this key leaks, an attacker can sign fradulent JWT token
Asymmetric (RS256)
- Different keys are used for signing and verifying a token
- We don't need to store the key
- Auth0 is responsible for storing a token
- We only get a sertificate to verify a token (Not signing)
Symmetric Signing:
- Auth0 use the secret to generate a toekn
- Return a Signed token to client
- Client send signed token to API Gateway
- Api Gateway has to use the same secret to to validate the signed token to get Cerificate
Asymmetric Signing:
- Auth0 uses a Private key which only use for signing
- Return the singed token to client
- Client send signed token to API Gateway
- We have a use a Cerificate to verify the singed token
Here is a code snippet that can be used to verify a JWT token with Node.js:
import { verify } from 'jsonwebtoken'
const jwtToken = '...'
const secret = '...'
verify(jwt, secret)
// If an exception is not thrown a JWT is validCreate an Application in Auth0
- Create an application
