We are using Auth0 for authentication. We have created an Application in Auth0 for our frontend React.js App, and an API for our backend Golang service. Now, we were are using the React.js & Go quick starts for now.
Our flow is like, User comes to our Frontend App, signs up/logs in. Auth0 gives the Access token, Id token, Refresh token. Now this React App needs to call the Golang backend service. It passes the Access token as Authorization header in the API calls to the backend. In the Go API Quickstart, a middleware function EnsureValidToken validates the access tokens. We use RS256 Algorithm.
Now my concern is how does the backend service validate the tokens ? if someone creates a JWT token with the same header and payload as the one issued by the Auth0, using his own Public and Private key, since it is a valid JWT, how does the backend API validate that the JWT was not created by my Auth0 tenant for my React & Go API?
Does the backend service SDK interact with Auth0 for the token validation?
This gets at the core of asymmetric cryptography, for which the RS256 algorithm is an implementation of. When a token is minted by Auth0 it is signed with the tenant’s private key, and verified by the API (Go API in this case) using the public key. In your example, if a malicious actor creates a token with their own private/public key pair EnsureValidToken would not validate it, and it would thus be unauthorized. The Go middleware will rely on JWKS to fetch the public key and use it to verify/validate any token used against it.