您的服务器可以信任来自Auth0的访问令牌吗?

huangapple go评论67阅读模式
英文:

can my server trust the access token from auth0?

问题

I'm using this workflow: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow

In step 5, the app makes a request with an access token generated by Auth0.

This is the guide to validate the access token on the server: https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/interactive

According to the guide, they only validate the issuer and audience. What if someone knows the issuer and audience and creates a fake access token with that information? Will my server be tricked?

Is there a way to securely validate the access token on my server?

英文:

I'm using this workflow: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow

In step 5, the app make a request with an accesstoken which is generated by auth0

This is the guide to validate the access token in the server: https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/interactive

According to the guide, I see they only validate the issuer and audience, what if someone know the issuer and audience and create a fake access token with that information? will my server be tricked?

Is there a way to validate the access token in my server securely?

答案1

得分: 3

由Auth0生成的访问令牌以Json Web Token(JWT)的格式存在。
在其紧凑形式中,JSON Web Tokens由三个部分组成,由点(.)分隔开,它们是:

  • 头部(Header)
  • 负载(Payload)
  • 签名(Signature)

当创建JWT时,签名是根据JWT的内容创建的,其中包括在负载中的时间戳。服务器使用私钥和算法来生成此哈希值。如果您想要验证JWT,即检查哈希值,您需要JWT服务器(Auth0)的公钥。您可以从以下.well-know网址下载它。

https://{yourDomain}/.well-known/openid-configuration

使用公钥,您可以验证JWT的内容(负载),并验证签名是否由Auth0的私钥签名。

您可以在https://jwt.io/introduction了解有关JWT的更多信息。

英文:

The access token, generated by Auth0, is in the format of a Json Web Token (JWT).
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature

When a JWT is created, a signature is made of the content of the JWT, including a timestamp which is in the payload. For this hash the server uses a private key and an algorithm. If you want to validate the JWT, thus check the hash, you need the public key of the JWT server (Auth0). You can download this from the .well-know url.

https://{yourDomain}/.well-known/openid-configuration

With the public key, you can validate the content (payload) of the JWT and verify if the signature is signed by the private key of Auth0.

You can learn more about how JWT works at https://jwt.io/introduction

huangapple
  • 本文由 发表于 2023年6月29日 14:39:48
  • 转载请务必保留本文链接:https://go.coder-hub.com/76578590.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定