I’m working on a Rust-based full-stack app that uses Auth0 + PKCE flow to authenticate users via a Yew SPA frontend.
The project is open-source and available on github
organization: opendrafts-rs-os
repository: openapi-axum-server
branch: [auth0-part2-gui]
dir: gui
Project Overview
- Frontend:
- Framework: [Yew] (Rust/WASM SPA)
- Directory:
gui/
(separate frontend)
- Backend:
- Framework: [Axum]
- Auth Flow: Authorization Code Flow with PKCE
- Auth0 app config (via
.env
file):
env
You add .env
CLIENT_ID="xxx"
DOMAIN="xxx.eu.auth0.com"
REDIRECT_URI="http://localhost:8080/callback"
Problem
After the user logs in, I receive an access_token in JWE format, which I cannot decrypt (no private key).
I would like to receive the access_token as a signed JWT (RS256), so I can validate it from the Axum backend using public JWKs.
What I’ve Tried
Used the example app in gui/.
Set up .env with the client config (see above).
Exchanged code using the function below (Yew/wasm code):
pub async fn exchange_code_for_token(
code: &str,
client_id: &str,
domain: &str,
redirect_uri: &str,
) -> Result<TokenResponse, String> {
let verifier = web_sys::window()
.and_then(|w| w.session_storage().ok().flatten())
.and_then(|s| s.get_item("code_verifier").ok().flatten())
.ok_or("missing code_verifier in sessionStorage")?;
let body = format!(
"grant_type=authorization_code&client_id={client_id}&code={code}\
&redirect_uri={redirect_uri}&code_verifier={verifier}"
);
let url = format!("https://{domain}/oauth/token");
let builder = Request::post(&url)
.header("Content-Type", "application/x-www-form-urlencoded")
.body(body)
.map_err(|e| format!("{e}"))?;
let response = builder.send().await.map_err(|e| format!("{e}"))?;
if !response.ok() {
let status = response.status();
let text = response.text().await.unwrap_or_else(|_| "empty".into());
return Err(format!("status: {status}: {text}"));
}
let token: TokenResponse = response.json().await.map_err(|e| format!("JSON: {e}"))?;
Ok(token)
}
My Questions
- How do I configure Auth0 (app or API settings) so that the returned
access_token
is a JWT, not a JWE? - Is it a matter of:
- changing the API signing algorithm from “RS256” to something else?
- setting a proper
audience
during token request?
- Can SPAs using PKCE ever receive JWT access tokens, or is JWE the default for security reasons?
- Should I enable/disable any “OIDC Conformant” or “Allow Skipping User Consent” options?
Extra Info
- The
access_token
returned starts like:
eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ...
- The
id_token
is a readable JWT – only the access token is JWE.
All suggestions are welcome!