I’ve created a new middleware and now I check permissions for every protected route (it is identical to CheckScope, the only difference is that it checks not scope but permissions ncoded in accesstoken).
One thing I can’t understand is how your php library integrated to Laravel verify JWT? I edit secret in .env and I get no errors. I edit all auth0 settings (to wrong) in .env and I get no errors again. If there is no any checking, then any user can send JWT with necessary permission and API will provide data.
Should I somehow verify signature and how? Why are those settings needed?
I confess I haven’t ran the Laravel API quickstart recently, but that quickstart goes through API authorization where access tokens for the API in question are signed using RS256 which would mean that the JWT is signed with the tenant private key (only available to Auth0 server) and would be validated by the tenant public key (can be obtained by anyone and even obtained programmatically).
With the above in mind changing a secret in your configuration would be irrelevant as those access tokens are not signed by a shared secret.
Can you clarify how is your custom API configured (in terms of settings in the Auth0 dashboard) and also what exact configuration you’re modifying.