0

I'm trying to implement OAuth authentication for my google home compliant google-actions backend but I'm not sure on how to validate the token that google is giving me on the authorization header, I was expecting an JWT token but it isn't.

I'm doing my backend on express and node.js with express-jwt to parse the token and jwks-rsa to fetch the encryption key. I've setup my Auth0 tenant loosely based on this guide and it works fine, the login screen shows up and works just fine.

An example of a token google sends me is something along the lines of

authorization:"Bearer msuVRoQGJ_aPqH-zShLq053aAEVmlHqi"

I was expecting google to communicate with Auth0 to exchange a JWT token and then use it to authenticate to my API by sending it as a authorization header. But I don't know what is the bearer token google is sending or how do I validate it.

Samuel H.
  • 33
  • 1
  • 6

1 Answers1

1

By default Auth0 will send you an opaque access token when you authorize to a non-Custom API (similar to the one you received). JWT Access tokens are only issued to custom APIs. So in order to get it in JWT format, you will need to create an API in Auth0 and set the API identifier you defined as the audience parameter.

You will issued JWT Access tokens for Custom APIs and you can validate and verify the integrity of it (there is an example on how to do this in Nodejs): https://auth0.com/docs/api-auth/tutorials/verify-access-token

Shayan
  • 652
  • 5
  • 12
  • Thanks for the answer, your diagnose was dead on, but I took a while to realize that the audience parameter was a query string one to the authorization URL, so I URL encoded it and changed it into google action authorization URL, works flawlessly now, thanks. – Samuel H. Dec 31 '18 at 11:58