Can my api server trust the access token from auth0?

I’m using this workflow: Authorization Code Flow (auth0.com)

In step 5, the app make a request to my server with an access token which is generated by auth0

This is the guide to validate the access token in the server: Auth0 ASP.NET Core Web API SDK Quickstarts: Add Authorization to an ASP.NET Core Web API application

According to the guide, I see they only validate the issuer and audience, what if someone know the issuer and audience and create a fake access token with that information? will my server be tricked?

Is there a way to validate the access token in my server securely?

1 Like

I’m not an Auth0 employee, but I do know that the Microsoft ASP.NET Core Authentication library validates the signature on the JWT token behind the scenes.

Here is a high-level overview of what happens:

  1. The API server is configured using the Microsoft.AspNetCore.Authentication.JwtBearer package. This can be seen on Step 5 that you referenced - be sure to select the Program.cs header in the code sample.
  2. In step 5, the options.Authority attribute is set to the Auth0 domain. The ASP.NET Core Authentication framework uses this URL to query the Auth0 server for metadata, specifically the public key that Auth0 uses to sign its JWT tokens.
  3. When a request is received on a secured API endpoint, the ASP.NET Core Authentication framework validates the signature on the request JWT token using the public key on the certificate that it fetched earlier from Auth0. It also performs other validation checks mentioned at Validate JSON Web Tokens | Auth0.

Therefore, it is validating more than only the issuer and audience, but it’s all behind the scenes.

3 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.