Dear all,
I have an SPA (React) and a back-end API (Python), and I use a JWT access_token
to authorize the client to use the API.
My requirements in the back-end are: authorization to access the API, and identification of the user (simply accessing an id that can be used to query our own database).
In order to be fast, I implemented the 2 steps with the same access_token
, by implementing a rule to add the id in the access_token
. This allows me to save some time by not further querying the /user-info
endpoint to identify the user once authorized.
Nonetheless, in this article, I found the following advice:
Access tokens must never be used for authentication
I think this is meant to provide advice for the application and not the API, but I wanted to be sure. So, here is my first question:
- is putting an id (not really sensible information) in an
access_token
to identify the user in a back-end API ok?
I have also another question regarding JWT.
The access_token
, if I understand well, is generated by Auth0 using a secret key (from the tenant - used to sign the token) and provided to the client on Login. Then, the validity of this access_token
is verified in the back-end using the public key of the tenant.
So, what I cannot explain is that jwt.io can verify the signature of a token without any information (given by the user) on the public keys.
- How can jwt.io verify the signature of a token without any information on the public keys? Are they fetched automatically from the
iss
field of the token?
I thank you very much for your time and answer