Hi there,
I’m a little confused about JWKS. I know I need to retrieve it to validate my JWT, and I do this as below (via jose):
const withAuth = async (req, env) => {
try {
const getJwksUrl = env.AUTH0_DOMAIN+env.AUTH0_JWKS_URI;
const jwks = createRemoteJWKSet(new URL(getJwksUrl));
const header = req.headers.get('authorization');
if (!header) throw 'missing token';
const tkn = header.replace(/^Bearer\s/i, '');
const options = {
algorithms: ['RS256'],
issuer: env.AUTH0_DOMAIN,
audience: env.AUTH0_API_AUDIENCE
};
const result = await jwtVerify(tkn, jwks, options);
req.userMeta = decodeJwt(tkn);
} catch(e) {
throw new StatusError(401, e);
}
}
But my question is, should the JWKS be available in this way at a publicly-available URL? I can literally go to https://<my-auth0-domain>/.well-known/jwks.json and see my JWKS. I’m not sure if this worrying or not.
I found this page, which tells you how to locate the JWKS, which sort of implies it should not be on a guessable URL but somewhere else? Mine seems to be available on the URL I mentioned above.
Any clarification much appreciated!
Having the JWKS endpoint publicly available does not introduce a security risk, as the information it provides is meant to be public. The JWKS URL (