I’m validating the id_token retrieved after Authentication to determine if it was sent my Auth0. To do this I need to first decode the id_token in order to access the kid property which I then use to key the auth0-provided jwks for the x05c used to build a public key to validate the JWT signature.
I am asking if there is a way to obtain the kid field in the authResult object instead so I don’t have to first decode the token.
Not to my knowledge, so for that representation of a JWT you would indeed first have to decode the header component in order to proceed with the validation. Ideally and if possible you would just use a library that has built-in support for the JSON web keys endpoint and does all that for you.
Thank you for your response – I am currently using auth0’s [jwks fetcher] - GitHub - auth0/node-jwks-rsa: A library to retrieve RSA public keys from a JWKS (JSON Web Key Set) endpoint. to grab the arguments for validation from the jwks and then feeding them to [node-jsonwebtoken] - GitHub - auth0/node-jsonwebtoken: JsonWebToken implementation for node.js http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html which is the only recommended nodejs impl listed on jwt.io (which I believe is auth0’s own site?). This impl requires that I fetch the kid from the incoming id_token.
Is there a better way I can do this in reactjs/node?
So looking more closely at my solution… am I correct in discovering that auth0’s parse hash does much more than just construct an AuthResult object from the URL params access_code and id_token?
it not only does that but also validates the id_token using the auth0 jwks…
![alt text][1]
…An entire process I spent the entire last weekend figuring out how to do! haha Well I guess I know what’s happening behind the scenes better now. But a suggestion – perhaps rename the parseHash method to be something more akin to it’s purpose of also validating the signature of the id_token JWT? haha
anyway looks like I can remove a big chunk of code now – ty!