Should I be validating JWT on my back-end with or without secret?

I’m using the express-oauth2-jwt-bearer Node.js package on my back end to validate an Auth0 JWT passed to it from the (separate, SPA) front-end, like so:

const { auth } = require('express-oauth2-jwt-bearer');
	audience: process.env.AUTH0_API_AUDIENCE,
	issuerBaseURL: process.env.AUTH0_API_DOMAIN

This is how the package’s docs suggest you do it. However, the same docs then give a further example, for tokens signed with " symmetric algorithms", where a secret is used in the validation, like so:

    issuer: 'https://YOUR_ISSUER_DOMAIN',
    audience: '',
    secret: 'YOUR SECRET',
    tokenSigningAlg: 'HS256',

So do I need the first approach, which doesn’t use secret, or the second, which does? I’m quite new to JWT. I just want to know that I’m doing this securely.

Thank you!

Hey @kkrp1 !

Great question! It depends on which algorithm you’re using to sign tokens (you can check in your application settings → advanced → oauth tab as well as in your API settings)- Typically this will be RS256 which is asymmetric, won’t include using a secret, and is generally considered more secure. HS256 is symmetric and requires a secret. Some further resources on this topic:

Hope this helps to clarify!

Aha yes it is set to RS256 (actually, it won’t let me change this, even if I wanted to) so I’m all good and secure, then, by the sounds of it.

I’m still getting my head around JWTs! Trying to understand how it can be secure, if secrets aren’t involved. Just to double-double-check, this is what I’m doing:

Front-end, using JS SDK:

const auth0Client = await createAuth0Client({
	domain: '<my-auth0-domain>',
	clientId: '<my-auth0-client>',
	... //bunch of other config here

Back-end, to validate the JWT passed to it by the front-end:

const { auth } = require('express-oauth2-jwt-bearer');
module.exports.validateJwt = auth({
	audience: '<auth0-api-identifier>',
	issuerBaseURL: '<auth0-domain>'

And everything works, I’m just a little alarmed at how there’s no secrets involved! But everything I read (not least on this forum) suggests I’m on the right lines?

Thanks for the continued help!

1 Like

Hey @kkrp1 thanks for following up here and happy to help!

Everything looks good to me! Aside from validating the tokens, the express-oauth2-jwt-bearer library provides some helpful functions for more granular authorization as outlined here:


1 Like

Thanks for this - I just had a read of it. I notice there’s a method for checking scope. Would you mind briefly explaining how this might work with/relate to Auth0? Right now I’m merely validating the JWT, as shown, and I’m handling all permissions app-side i.e. I have a custom, proprietary permissions system that I’m managing outside of Auth0. With this in mind, would I be right in thinking I don’t really need to get involved in Auth0-side scopes and roles (not currently sure of the difference)?

Hey @kkrp1 no problem!

If you’re already handling this on your own then you probably don’t need to worry about the other functions provided for checking scopes, claims, etc. They exist for more granular authorization beyond just checking to make sure the access token is valid - For example, you might check to make sure a user has a specific scope, claim, role, etc. before they are able to access a given endpoint. Some examples here:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.