I raised a thread a few months ago (Sanity check on usage of serverless functions and Auth0) and unfortunately got too busy to continue with the demo. In that thread, Dan shared some sample code I could use to verify an access token retrieved on the client side via getTokenSilently.
In using the sample code though, I always get a jwt malformed error. I get a similar issue at jwt.io. (Although it can show a header w/ my domain in it.)
I’m assuming I’m doing something dumb here - does anyone see anything?
let token = 'token copied and pasted from a web app using auth0';
let domain = "dev-f8e09ups.us.auth0.com";
var jwt = require('jsonwebtoken');
var jwksClient = require('jwks-rsa');
var client = jwksClient({
jwksUri: `https://${domain}/.well-known/jwks.json`
});
function getKey(header, callback){
client.getSigningKey(header.kid, function(err, key) {
var signingKey = key.publicKey || key.rsaPublicKey;
callback(null, signingKey);
});
}
jwt.verify(token, getKey, function(err, decoded) {
console.log(err) // bar
});
Did you pass in an audience parameter to retrieve your access token? If you don’t pass in this parameter, you’ll get an opaque token, which is just a random string of characters, not a JWT.
I’m not sure what you’re using to get the access token on the client. If you’re using one of our SDKs, they should have a way to pass in the audience. For example, here’s how it might look in an Angular app:
It’s possible that your audience contains your domain name. If you log in to your Auth0 Dashboard and go to Applications > APIs, you’ll see your APIs and their audiences. Copy it and put it in your JavaScript as a parameter and it should get you a JWT for the access token.
Boom, that did it, although I had to switch to getTokenWithPopup (although I believe Silently will work off localhost).
I appreciate your patience.
If you see the other thread I linked to up top, the whole point of this is:
Login to my app - and then get my sub value to use with the management API to make calls for the logged in user. In the other thread, it was suggested it would be more secure to get the token as well and verify that as well.