I need to figure out how to validate a token generated from auth0 for a non-express/non-hapi node microservice. The quickstart samples that use the express implementation for node-jwks-rsa are not really an option here, as this is a hemera service. so for this code:
this.hemera.use(hemeraJwt, {
enforceAuth: true,
jwt: { secret: 'test' }
})
how can I retrieve the jwt secret for the hemeraJwt to decode the token?
From the code snippet you seem to be using hemera-jwt-auth library which is then using node-jsonwebtoken library to perform the actual validation of the tokens.
Based on that and assuming secret is being passed directly to node-jsonwebtoken method verify then the value of that option should be:
secretOrPublicKey is a string or buffer containing either the secret for HMAC algorithms, or the PEM encoded public key for RSA and ECDSA.
In conclusion, if the API you configured in Auth0 uses HS256 then you should pass the signing secret available in the settings. If it uses RS256 you need to obtain the PEM encoded public key of the signing key used to issue RS256 tokens. You can obtain that information from the https://{your_domain}.auth0.com/.well-known/jwks.json endpoint or directly by downloading the PEM public key at https://{your_domain}.auth0.com/pem. the first is the recommend way as that endpoint is defined as part of standards while the seconds is Auth0 specific endpoint.