Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve JWTValidator to also validate access tokens #180

Open
5 tasks done
Artenuvielle opened this issue Jun 8, 2023 · 3 comments
Open
5 tasks done

Improve JWTValidator to also validate access tokens #180

Artenuvielle opened this issue Jun 8, 2023 · 3 comments
Labels
feature request

Comments

@Artenuvielle
Copy link

Checklist

  • I have looked into the Readme and the Examples, and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

The verify function in class Omniauth::Auth0::JWTValidator only validates checks that client_id is included in the audience of the given token. This works for validation of id token, but not for access token. Users may want to manually verify any tokens since this class is publicly accessible.

Describe the ideal solution

It could be useful to either have 2 functions (e.g. verifyIdToken and a more general verify) or set the client_id as validation parameters when calling verify on id tokens.

Alternatives and current workarounds

Currently one can only use the decode function of said class and verify claims on their own.

Additional context

No response
@stevehobbsdev
Copy link
Contributor

Thanks for the feedback @Artenuvielle. As this library is primarily concerned with application login, and that access tokens should be validated by the API they're intended for, we have not so far included a validator that validates access tokens. Are you in a scenario where you're using this SDK also on an application that provides an API protected by access tokens?

@ajoy39
Copy link

ajoy39 commented Aug 18, 2023
edited
Loading

Late to the party here but I can say that I am working with an app that uses this SDK for application login and also has a protected API we want to use access tokens for. Does Auth0 offer another package for use with machine to machine clients? We are trying to use Auth0 to unifify the user base and authorization logic of three different applications, one built with Laravel and 2 built with Rails. The Laravel Auth0 package supports api authorization via access token, so I was hoping the recommended package for Rails did the same

@stevehobbsdev
Copy link
Contributor

@ajoy39 Unfortunately today we don't have a built-in way to do this with one of our SDKs, and recognise that it is a gap when compared to some of our other SDKs. However, please check out this quickstart that shows one way to do API authorization with Auth0 in Rails (the quickstart uses the jwt gem).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@stevehobbsdev @Artenuvielle @ajoy39