Auth0 Home Blog Docs

Is it possible to return JWT Header''s KID field in AuthResult returned after Authentication?

jwks
authentication
jwt-validation
openidconnect

#1

I’m validating the id_token retrieved after Authentication to determine if it was sent my Auth0. To do this I need to first decode the id_token in order to access the kid property which I then use to key the auth0-provided jwks for the x05c used to build a public key to validate the JWT signature.

I am asking if there is a way to obtain the kid field in the authResult object instead so I don’t have to first decode the token.


#2

Not to my knowledge, so for that representation of a JWT you would indeed first have to decode the header component in order to proceed with the validation. Ideally and if possible you would just use a library that has built-in support for the JSON web keys endpoint and does all that for you.


#3

Thank you for your response – I am currently using auth0’s [jwks fetcher] - https://github.com/auth0/node-jwks-rsa to grab the arguments for validation from the jwks and then feeding them to [node-jsonwebtoken] - https://github.com/auth0/node-jsonwebtoken which is the only recommended nodejs impl listed on jwt.io (which I believe is auth0’s own site?). This impl requires that I fetch the kid from the incoming id_token.

Is there a better way I can do this in reactjs/node?


#4

So looking more closely at my solution… am I correct in discovering that auth0’s parse hash does much more than just construct an AuthResult object from the URL params access_code and id_token?

it not only does that but also validates the id_token using the auth0 jwks…

![alt text][1]

…An entire process I spent the entire last weekend figuring out how to do! haha Well I guess I know what’s happening behind the scenes better now. But a suggestion – perhaps rename the parseHash method to be something more akin to it’s purpose of also validating the signature of the id_token JWT? haha

anyway looks like I can remove a big chunk of code now – ty!


#5