What is the best way to decode an API
access_token from Auth0 using Google App Engine/python/webapp2 as a backend stack?
I am inexperienced in the ways of authentication, authorization, and cryptography, so please bear with me if I get my nomenclature all mixed up
I am writing an app for a student project, for which I am creating a REST-ish web API. I would like to use Auth0 for user authentication and API authorization. I am creating the app on Google App Engine (GAE), standard environment, using python and webapp2 as the primary technologies.
I have successfully retrieved an API
access_token on the client side, and I am working through the python token verification flow, similar to the one found in the Auth0 python API example. I’m getting stuck at the point of decoding the token, though!
The first problem is that the example uses the python
josepackage to decode the token.
jose, and also
PyJwt, depend on the python
cryptography package for their heavy crypto lifting. Unfortunately, GAE standard environment does not support python packages with C libraries, so
cryptography is not supported.
PyJwt has an alternative setup they show specifically for use with GAE, which relies on
pycrypto instead of
cryptography. GAE offers
pycrypto as a built-in library so that is fine. This works if I want to proceed with
The next problem I have is that the token verification flows I read about for Auth0 use
jwks key sets to decode the token. Unfortunately, I cannot figure out how to use
PyJwt in legacy mode with a
jwkskey … it expects a PEM formatted key.
I can picture several possible solutions, but I don’t know if they exist! Maybe something like one of the following?
- Convert the
jwkskey set to a PEM formatted key using
- Find a web API to decode the token for me, maybe from Auth0 or jwt.io?
- Retrieve a PEM formatted key from the Auth0 endpoint instead of a
- Just use
RS256? Would this fix my problem?
Are any of these ideas realistic? Has anyone else had to deal with this issue?