How to verify that a JWT is legit?

Hello,

I receive an ID Token when a user login to the app.
I want to check in my server that the JWT is valid.
And then show to my user some specific datas that are not stored with auth0 from my server.

Is there a way to verify that the nonce in the JWT is the same as the nonce when auth0 created the JWT? If not how can I check I’m not victim of a replay attack? If yes how can I check?

How can I make sure that the token was signed by the private key associated with my app?

If someone create a fake JWT that decode to informations that are consistent with the payload. I can get tricked, I cannot use the payload to verify.

Also anyone can access my domain key set by checking

https://domain/.well-known/jwks.json

So the JWT counterfeiter can just verify that his fake JWT verifies with the public signature before sending it to my server.

So how do I verify that a JWT is legit when I receive one?

Hi @Ilanoh,

Thanks for the thorough questions.

What is the nonce you are referencing here? Do you have an example or the name of the claim you are looking at? If you’re talking about the nonce in the authorize request, you can use one of our SDKs to handle the transaction and you won’t have to handle the nonce at all.

This article shares some strategies for preventing replay attacks.

This is the purpose of the token signature. A token signature cannot be validated with the associated public key if it wasn’t signed by the private key. This is a fundamental function of JWTs.

You need to validate the signature before trusting the token.

Yes, this is an important feature of asymmetric encryption.

This would require that they brute force the private key, and that isn’t going to happen in our current era of computing. This is fundamental of all cryptography.

By validating the signature with the public key. Here’s some reading on it Signing Algorithms.

3 Likes

Thanks for the answers, i recently learned about asymmetric, i was more used to hashcash, i try to verify the token in apex salesforce, do you have any ressources on this? because in apex there isn’t much documentation and no libraries or sdk.

there is a function like this:

Crypto.verify('RSA-SHA256', payload, signature, publickey)

But it doesn’t work, how would you do?

That looks like the correct approach to me. What happens when you try this out? Do you see any errors?

Additionally, you can provide a sample token, and how you use the inputs payload, signature, publickey.

You can also DM me if the data is private.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.