I need to figure out how to validate a token generated from auth0 for a non-express/non-hapi node microservice. The quickstart samples that use the express implementation for node-jwks-rsa are not really an option here, as this is a hemera service. so for this code:
this.hemera.use(hemeraJwt, {
enforceAuth: true,
jwt: { secret: 'test' }
})
how can I retrieve the jwt secret for the hemeraJwt to decode the token?
From the code snippet you seem to be using hemera-jwt-auth
library which is then using node-jsonwebtoken
library to perform the actual validation of the tokens.
Based on that and assuming secret
is being passed directly to node-jsonwebtoken
method verify
then the value of that option should be:
secretOrPublicKey is a string or buffer containing either the secret for HMAC algorithms, or the PEM encoded public key for RSA and ECDSA.
In conclusion, if the API you configured in Auth0 uses HS256
then you should pass the signing secret available in the settings. If it uses RS256
you need to obtain the PEM encoded public key of the signing key used to issue RS256
tokens. You can obtain that information from the https://{your_domain}.auth0.com/.well-known/jwks.json
endpoint or directly by downloading the PEM public key at https://{your_domain}.auth0.com/pem
. the first is the recommend way as that endpoint is defined as part of standards while the seconds is Auth0 specific endpoint.