How to validate the user is who they say they are from a resource server?

I have a setup where I have a Next app using Auth0 to handle auth in the standard (non-spa way). I have a separate Rust resource server that I’m passing the auth0 access token to in order to validate that the one making the request to the resource serve is the right person. So i need to validate the access token that was past from auth0 → Next → Rust Resource Server on the resource server. What’s the recommended way to do this? Or would you recommend a different pattern?

The recommended way to validate the Auth0 access token on your Rust resource server is to use the JSON Web Token (JWT) validation mechanism. Here’s a suggested approach:

  1. Obtain the Access Token: In your Next.js app, after successful authentication with Auth0, you will receive an access token. Pass this token as a Bearer token in the Authorization header when making requests from Next.js to your Rust resource server.

  2. Validate the Access Token: On your Rust resource server, you can use a JWT library to validate the access token’s signature, expiration, and issuer. The recommended library for JWT validation in Rust is jsonwebtoken. You can use it to parse and validate the token’s claims against the public key provided by Auth0.

  3. Implement Token Verification Middleware: Create a middleware or function in your Rust resource server that intercepts requests and validates the incoming access token before allowing access to protected resources. This middleware should extract the token from the Authorization header, validate it using the jsonwebtoken library, and either allow or deny access based on the validation result.

By following this approach, you can ensure that only valid access tokens issued by Auth0 are accepted and granted access to your protected resources on the Rust resource server.

Thanks for the reply.

  1. Done, I had that working

  2. Before reading your comment, I implemented a request to the /userInfo endpoint from the rust resource server. I figured this also works if it returns the token information, is this correct? Or is it important to do step 2 as you described?

Using the /userinfo endpoint to obtain user information from the access token is a valid approach. The /userinfo endpoint is an OAuth 2.0 protected resource that can be used to retrieve user profile information based on the access token.

However, it’s important to note that relying solely on the /userinfo endpoint for token validation may not provide the same level of security as performing a full JWT validation. The /userinfo endpoint is designed to provide user information and may not perform the same level of signature and claim validation as a dedicated JWT library.

If you want to ensure the integrity and authenticity of the access token, it is recommended to implement JWT validation using a library like jsonwebtoken in your Rust resource server. This allows you to validate the token’s signature, expiration, issuer, and other claims to ensure that it has not been tampered with and is a valid token issued by Auth0.

While using the /userinfo endpoint can provide some basic token information, implementing JWT validation using a library provides a more comprehensive and secure approach for validating access tokens in your Rust resource server.

1 Like

Great, this is the info I need. Thanks!