Can I trust the user data in a request from angular to node if I'm using the JWT?

I’m writing an application using angular5/nodejs and I’m trying to implement a function on the node side to update a user’s metadata. I only want to allow the user that is logged in to update their own metadata.

Currently I’m authentication the user on the angular side and then sending their id_token in the header to my node service. Below is a snip from the node side. This works and will only provide a response if a user is logged in which is great:

From my server.js:

var jwtCheck = jwt({
    secret: jwks.expressJwtSecret({
        cache: true,
        rateLimit: true,
        jwksRequestsPerMinute: 5,
        jwksUri: "https://{mine}.auth0.com/.well-known/jwks.json"
    }),
    //This broke when I was using 'audience'
    aud: 'authlet-id',
    issuer: "https://{mine}.auth0.com/",
    algorithms: 'RS256']
});

// Private route
app.get('/api/private', jwtCheck, (req,res)=>{
  console.log("req:");
  console.log(req);
  let deals = 
    "private1", "private2","private3"
  ];
  res.json(deals);
})

From my api service on the angular side:

getPrivate() {
  return this.http
    .get(this.privateApiUrl, {
      headers: new HttpHeaders().set('Authorization', `Bearer ${localStorage.getItem('id_token')}`)
    })
    .pipe(
      catchError(this.handleError)
    );
}

My question is… can I trust the user id that is in in req.user.sub which looks something like ‘auth0|5a3d65RANDOMSTUFF5276’ ? I’ve seen mixed thoughts on using id_token for authorization specifically here which says :

  • An id_token cannot be used for API access.
  • An access_token cannot be used for authentication.

But i want to authorize the user that is logged in, to then call the management API. It seems like both id_token and access_token can be passed in my header and validated successfully with my jwtCheck but I’m not sure the difference or which is ‘better’. If access_token should be used in this situation, what would I ever use id_token for?

I’m worried that maybe the jwtCheck is just validating the token but maybe the request could be passing an altered user id (malicious obviously). Is this possible or does it check the validity of this data as well? Thanks!

As mentioned in the link you included, you should be using access tokens when calling API’s. the ID token is still useful for the client application in cases where it wants to show some information related to the authentication event that just took place.

In this case your Angular application should request an ID token to possibly display (after validating the ID token) the end-user email upon authentication. For future calls to your API the Angular application should have also requested an access token suitable for the API in question by using the audienceparameter. Have in mind that you would have to represent your API in the APIs section.

The ID token is always a JWT and an access token requested to a custom API you configured is, at this time, also a JWT. Given in both cases the JWT’s are being signed by the issuer any information contained within can be trusted by the receiver as coming from a trusted party as long as the received performs signature validation (which would be the case of your jwtCheck logic).

Due to the above you can trust the data contained in the token and use the user identifier contained within the token to know which user authenticated and is associated with the token; the access token issued to your API will also contain a sub claim that contains the user identifier of the end-user.