Does Auth0Client.LoginAsync Validate the Identification and Access Tokens on the Client Side?

TheLoneCoder · February 13, 2019, 8:28am

Hi,

I am logging into my Auth0 domain by calling the following method from the Auth0 SDK.

        var client = new Auth0Client(new Auth0ClientOptions
        {
            Domain = DOMAIN,
            ClientId = CLIENTID,                
            Scope = SCOPE, 
            LoadProfile = true
        });

        LoginResult loginResult = await client.LoginAsync();

It is my understanding that the Auth0 SDK Executes the Authorization Code Grant Flow with PKCE automatically. Does this mean that the Identification and Access tokens I receive do not require any Jwt token validation on the client side?

I will validate these tokens on the RESOURCE \ SERVER side, of course but can I safely use the tokens on the CLIENT side [such as Identity claims] without having to validate the Jwt identity token?

TheLoneCoder · February 14, 2019, 4:35am

I traced the source code for OidcClient2.The Auth0SDK is simply a wrapper for this library.

I found that validation of the Identity Token does occur within the IdentityTokenValidator class. ONLY the Identity token is processed by this method. The Access token is not validated here.

Search for the following method:

private ClaimsPrincipal ValidateSignature(string identityToken, JwtSecurityTokenHandler handler, TokenValidationParameters parameters)

The only validation I can find of the Access token is below. I cannot determine what the purpose of this is code is within the ResponseProcessor class in the OidcClient2 library. I think to understand this better I would need access to the source code for JwtSecurityTokenHandler. The JwtSecurityTokenHandler is what sets the value of atHash from what I can see.

var atHash = validationResult.User.FindFirst(JwtClaimTypes.AccessTokenHash);
if (atHash == null)
{
if (_options.Policy.RequireAccessTokenHash)
{
return new TokenResponseValidationResult(“at_hash is missing.”);
}
}
else
{
if (!_crypto.ValidateHash(response.AccessToken, atHash.Value, validationResult.SignatureAlgorithm))
{
return new TokenResponseValidationResult(“Invalid access token hash.”);
}
}
}
return new TokenResponseValidationResult(validationResult);

By the way, the Auth0Client instantiates the OidcClient(options) with options.Policy.RequireAccessTokenHash = ‘false’. This variable is used above.

In the Auth0Client class:
Policy =
{
RequireAuthorizationCodeHash = false,
RequireAccessTokenHash = false
}

So, in conclusion from what I can see:

1.) The Identity token is always validated by the Auth0SDK.
2.) I still am not certain if the Access token is validated.

Can someone please trace my findings and let me know if my conclusions are correct.

konrad.sopala · August 29, 2019, 11:06am

Hey there!

Sorry for such huge delay in response! We’re doing our best in providing you with best developer support experience out there, but sometimes our bandwidth is not enough comparing to the number of incoming questions.

Wanted to reach out to know if you still require further assistance?