I receive an ID Token when a user login to the app.
I want to check in my server that the JWT is valid.
And then show to my user some specific datas that are not stored with auth0 from my server.
Is there a way to verify that the nonce in the JWT is the same as the nonce when auth0 created the JWT? If not how can I check I’m not victim of a replay attack? If yes how can I check?
How can I make sure that the token was signed by the private key associated with my app?
If someone create a fake JWT that decode to informations that are consistent with the payload. I can get tricked, I cannot use the payload to verify.
Also anyone can access my domain key set by checking
https://domain/.well-known/jwks.json
So the JWT counterfeiter can just verify that his fake JWT verifies with the public signature before sending it to my server.
So how do I verify that a JWT is legit when I receive one?
What is the nonce you are referencing here? Do you have an example or the name of the claim you are looking at? If you’re talking about the nonce in the authorize request, you can use one of our SDKs to handle the transaction and you won’t have to handle the nonce at all.
This is the purpose of the token signature. A token signature cannot be validated with the associated public key if it wasn’t signed by the private key. This is a fundamental function of JWTs.
You need to validate the signature before trusting the token.
Yes, this is an important feature of asymmetric encryption.
This would require that they brute force the private key, and that isn’t going to happen in our current era of computing. This is fundamental of all cryptography.
By validating the signature with the public key. Here’s some reading on it Signing Algorithms.
Thanks for the answers, i recently learned about asymmetric, i was more used to hashcash, i try to verify the token in apex salesforce, do you have any ressources on this? because in apex there isn’t much documentation and no libraries or sdk.