We have an API, with a non interactive client for each of our tenants, if I go to the API test tab and get a token for a client, I assume this is a JWT token that we can validate when 3rd parties call our API. I can use the token via Postman to call our api but I need to validate the token against the tenant.
I have created an AuthorisationHandler to do this (with attribute on API controller) and trying to validate the JWT token, I am using the Jose.JWT library as mentioned somewhere in the docs and when I have the token via the header, and the clientsecret we store on our side, the trying to validate the token like this:
var json = Jose.JWT.Decode(token, Encoding.UTF8.GetBytes(secretKey), JwsAlgorithm.RS256);
I can’t get the above working, I am not too clear on what format these values need to be string or byte arrays and/or base 64 encoded/decoded. Is this the correct way to validate a token and is the correct approach validating tokens via an API?
UPDATE:
I may be confused… I am creating a non-interactive client where my customers get the secret key, do they need to call Auth0 directly to get a token then call our API (similar to the test token on test tab in the API section) I think I am assuming our customers generate a token the same as we create in the standard web application which I now believe is HS256, which is incorrect? Should our customers call Auth0 to get a token. like the test token, directly or should we provide this via our API (proxy where they use their clientSecret and we call Auth0) what is usual practice here?
The situation is that I will have multiple customers calling our API, using their own client credentials, however I need to validate each one of our tenants, I think I was doing too much in trying to get the access token and validate this using their clientSecret on the fly? This is why I am trying to validate the token. so how to I validate the HS256 or indeed the client to ensure our tenant is correct.
The key thing there is not just validating whether the token is valid, but I need to know who is the client is. I can check the claims “sub” Subject to check the ClientId matches the client Id associated with our tenant, however I can’t be sure that someone has generated a token using their secret and just adding in another clientId if they got hold of it? so think I need to validate the token against the secret key that we hold to ensure the tenant is in fact the tenant? Something seems to be missing, something I can’t see?