2

I am having difficulty getting Auth0 to return access tokens in JWT format. I need them in JWT format in order that I can verify them using a Java JWT library.

I am using Auth0 lock to login, and use /oauth/token to get the access token - I have tried setting the audience to our API identifier (in multiple places including the lock auth params, and the /oauth/token payload), without success - the access token is returned however not a JWT.

Alternatively, is there a Java library for validating "native" Auth0 access tokens?

var options = {
    auth: {
        redirectUrl: '<redirect_link>',
        responseType: 'code',
        params: {
            audience: '<API_identifier>',
            scope: 'openid offline_access'
        }
    },
    allowedConnections: ['Username-Password-Authentication']
};

var lock = new Auth0Lock('<clientId>', '<auth0_Host>', options); 
lock.show();

The returned code is used to POST to https://<host>/oauth/token with data:

client_id=<client_id>&redirect_uri=<redirect_url>&client_secret=<client_secret>&code=<returned_code>&grant_type=authorization_code&audience=<API_identifier>

Which is successful but the access token is not JWT, for example: "access_token":"sG99DAJI789SYgTj"

Using the scope openid returns an id_token in JWT format, but from reading the documentation this token should not be used for API authorisation.

DanielM
  • 6,380
  • 2
  • 38
  • 57
user3352488
  • 281
  • 3
  • 15

1 Answers1

5

It seems Auth0 is using OpenID connect, that is an extension of OAuth2. After a successful end-user authentication, the server returns an ID Token in JWT format and an access token

ID Token

The ID Token is a security token that contains Claims about the Authentication of an End-User by an Authorization Server when using a Client, and potentially other requested Claims. The ID Token is represented as a JSON Web Token (JWT) [JWT].

You can validate the ID Token at client side using any JWT library, but the validation rules for access tokens are different

3.2.2.9. Access Token Validation

To validate an Access Token issued from the Authorization Endpoint with an ID Token, the Client SHOULD do the following:

  1. Hash the octets of the ASCII representation of the access_token with the hash algorithm specified in JWA for the alg Header Parameter of the ID Token's JOSE Header. For instance, if the alg is RS256, the hash algorithm used is SHA-256.

  2. Take the left-most half of the hash and base64url encode it.

  3. The value of at_hash in the ID Token MUST match the value produced in the previous step.

So, basically to validate it you need to compute the digest of the access_token using the hash algorithm of ID token, and check that it matches with the at_hash claim of ID Token

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142