When we get a JWT token from Auth0, is this signed by the Auth0 “Tenant” secret key, not a client secret key?
And when this is verified, using the Public Key (via jwks url e.g.: https://[domain]/.well-known/jwks.json), this ensures that the whole token has not been tampered with?
and in .Net core, this validation is performed automatically since we have setup this code:
.AddJwtBearer(options =>
{
options.Authority = domain;
options.Audience = Configuration"Auth0:ApiIdentifier"];
});
and when if check the payload contents we can be sure this is not been changed?