英文:
can my server trust the access token from auth0?
问题
I'm using this workflow: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow
In step 5, the app makes a request with an access token generated by Auth0.
This is the guide to validate the access token on the server: https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/interactive
According to the guide, they only validate the issuer and audience. What if someone knows the issuer and audience and creates a fake access token with that information? Will my server be tricked?
Is there a way to securely validate the access token on my server?
英文:
I'm using this workflow: https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow
In step 5, the app make a request with an accesstoken which is generated by auth0
This is the guide to validate the access token in the server: https://auth0.com/docs/quickstart/backend/aspnet-core-webapi/interactive
According to the guide, I see they only validate the issuer and audience, what if someone know the issuer and audience and create a fake access token with that information? will my server be tricked?
Is there a way to validate the access token in my server securely?
答案1
得分: 3
由Auth0生成的访问令牌以Json Web Token(JWT)的格式存在。
在其紧凑形式中,JSON Web Tokens由三个部分组成,由点(.)分隔开,它们是:
- 头部(Header)
- 负载(Payload)
- 签名(Signature)
当创建JWT时,签名是根据JWT的内容创建的,其中包括在负载中的时间戳。服务器使用私钥和算法来生成此哈希值。如果您想要验证JWT,即检查哈希值,您需要JWT服务器(Auth0)的公钥。您可以从以下.well-know网址下载它。
https://{yourDomain}/.well-known/openid-configuration
使用公钥,您可以验证JWT的内容(负载),并验证签名是否由Auth0的私钥签名。
您可以在https://jwt.io/introduction了解有关JWT的更多信息。
英文:
The access token, generated by Auth0, is in the format of a Json Web Token (JWT).
In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:
- Header
- Payload
- Signature
When a JWT is created, a signature is made of the content of the JWT, including a timestamp which is in the payload. For this hash the server uses a private key and an algorithm. If you want to validate the JWT, thus check the hash, you need the public key of the JWT server (Auth0). You can download this from the .well-know url.
https://{yourDomain}/.well-known/openid-configuration
With the public key, you can validate the content (payload) of the JWT and verify if the signature is signed by the private key of Auth0.
You can learn more about how JWT works at https://jwt.io/introduction
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论