According to the guide, I see they only validate the issuer and audience, what if someone know the issuer and audience and create a fake access token with that information? will my server be tricked?
Is there a way to validate the access token in my server securely?
I’m not an Auth0 employee, but I do know that the Microsoft ASP.NET Core Authentication library validates the signature on the JWT token behind the scenes.
Here is a high-level overview of what happens:
The API server is configured using the Microsoft.AspNetCore.Authentication.JwtBearer package. This can be seen on Step 5 that you referenced - be sure to select the Program.cs header in the code sample.
In step 5, the options.Authority attribute is set to the Auth0 domain. The ASP.NET Core Authentication framework uses this URL to query the Auth0 server for metadata, specifically the public key that Auth0 uses to sign its JWT tokens.
When a request is received on a secured API endpoint, the ASP.NET Core Authentication framework validates the signature on the request JWT token using the public key on the certificate that it fetched earlier from Auth0. It also performs other validation checks mentioned at Validate JSON Web Tokens | Auth0.
Therefore, it is validating more than only the issuer and audience, but it’s all behind the scenes.