Auth0 Home Blog Docs

Calling API with Bear JWT

api
clients
hs256
jwt-validation

#1

I an new to Auth0. I am not able to configure the Auth0 to do what I need.

I created a new API to represent my Service that will accept the Bear token from clients. I set it up HS256 to use the shared secret.
I setup a client in the Auth0 dashboard to represent my Soap UI client. client Type - Native and using HS256 JsonWebToken Signature Algorithm.

Question is how do I setup the client and my API to have the same secret? My understanding is that client send the Bear token to the My API server, API server will use the java verify to validate the token. https://github.com/auth0/java-jwt


#2

I believe the source of the issues you described is some confusion around the fact that there can be more than one type of token being issued. In particular, when you configure an API in the APIs section and then proceed to configure it to use HS256 or RS256 what this API expects to receive is an access token issued in accordance with that configuration.

The client application will have to state during the authentication/authorization request that it wants to receive an access token for the API in question; it does this by means of the audience parameter or configuring a default audience that’s associated with the identifier you configured for the API.

In addition to that the client application can also receive an ID token and that is to what the JsonWebToken Signature Algorithm setting applies. So technically, depending on the client, you can receive an ID token signed with RS256 alongside an access token meant for an API that uses HS256. Given the ID token is only meant to be processed by the client application this has no influence at the API level.

In conclusion, client application will have different secrets then the ones used by API’s configured to use HS256, but that is irrelevant because what client will send to the API is the access token and that access token is issued according tot he API configuration/secret (assuming the client application specified the appropriate audience parameter).

Further useful read:


#3