Hello! Does the React SDK (@auth0/auth0-react 1.3.0) automatically validate ID Tokens returned from a successful login in the authorization_grant flow?
I’m currently able to read authenticated user data via the user property exposed by useAuth0 const { user } = useAuth0(), and my understanding is that this data is coming from the decrypted ID Token jwt, my assumption is that the SDK is validating the jwt for me, which is quite nice.
I’m asking because the Auth0 docs suggest that ID Tokens should be validated, and I’m unable to find any concrete documentation in the SDK about whether this is already happening.
Thanks!
JWT expiration can be checked in two ways. First of all you have to install jsonwebtoken package and require it at the top of your file. Thereafter, you can follow the below ways to check JWT expiration before sending any rest requests.
Thanks, Giles. I think my question is more whether it needs to be checked when using the React SDK. Since the SDK is supplying data from the ID Token via the user context, I’m wondering if it is handling token validation (including whether the token is expired) already.
Thanks for your patience here @dsavage. I came across this thread and can provide an answer, in case you don’t have one already.
The React SDK uses our Auth0 SPA SDK under the hood to do all the heavy lifting, which does indeed validate ID tokens on your behalf whenever it receives one, so you don’t need to do this yourself. In the event that a token is invalid, an error will be thrown.
Here’s the full routine if you want to check through what we do and don’t validate.
Hope that helps!
1 Like