I have Auth0 set up to secure a resource server via Spring Security, and the access tokens are being provided directly from Auth0.
Is it possible to accept a Auth0 access token and generate a new one using a local Spring Authorization Server - to abstract away Auth0 from the rest of our services?
I can’t seem to find any examples anywhere. Any help is greatly appreciated!
Thanks
There is no need to do this. Access tokens follow a standard, they are not Auth0 specific.
To validate an access token, you just use the steps in the standard. Doesn’t matter if the token comes from Auth0 or from some other provider.
The signature verification keys are available via an endpoint.
John
Hi, John!
I need to replace the Auth0 tokens with my own tokens based on my own certificate - as i need to embed certain claims we store in our database.
For cloud solution it’s ok to use Auth0 for initial sign in (identity provider) / token - and then replace it with our own token. But for on-prem we need to be able to generate our own jwt tokens using Spring Authorization Server.
You can still do what you need in Auth0: you can add custom claims to the access tokens via actions (or rules), and you just get your API to validate using Auth0’s keys using the .jwks endpoint of the Auth0 tenant.
I am sure you can do some kind of token exchange to generate your own token, but I wouldn’t want to comment on it here. There are too many potentials for security holes if you go that route.
John