Basic question about JWKS URL

Hi there,

I’m a little confused about JWKS. I know I need to retrieve it to validate my JWT, and I do this as below (via jose):

const withAuth = async (req, env) => {
    try {
        const getJwksUrl = env.AUTH0_DOMAIN+env.AUTH0_JWKS_URI;
        const jwks = createRemoteJWKSet(new URL(getJwksUrl));
        const header = req.headers.get('authorization');
        if (!header) throw 'missing token';
        const tkn = header.replace(/^Bearer\s/i, '');
        const options = {
            algorithms: ['RS256'],
            issuer: env.AUTH0_DOMAIN,
            audience: env.AUTH0_API_AUDIENCE
        };
       const result = await jwtVerify(tkn, jwks, options);
       req.userMeta = decodeJwt(tkn);
    } catch(e) {
        throw new StatusError(401, e);
    }
}

But my question is, should the JWKS be available in this way at a publicly-available URL? I can literally go to https://<my-auth0-domain>/.well-known/jwks.json and see my JWKS. I’m not sure if this worrying or not.

I found this page, which tells you how to locate the JWKS, which sort of implies it should not be on a guessable URL but somewhere else? Mine seems to be available on the URL I mentioned above.

Any clarification much appreciated!

Can anyone help me here?

Hey there @mhmh33usas welcome to the community!

Great question :slight_smile: Having the JWKS endpoint publicly available does not introduce a security risk, as the information it provides is meant to be public. The JWKS URL (https://<my-auth0-domain>/.well-known/jwks.json) is standard and adheres to the specifications for OpenID Connect and OAuth 2.0.

JWTs signed with an asymmetric algorithm (RS256 for example) rely on a pair of keys – A private key to sign the token and a public key to verify it. The security of this system relies on keeping the private key secure, while the public key is freely distributed to allow verification of the token’s authenticity.

2 Likes

That’s great, thanks so much.

I wonder if you’re able to help me with this other question of mine? I’d be very grateful.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.