Verify JWT token without knowing client id/secret

  • Which SDK this is regarding: auth0-php
  • SDK Version: 8.0.2
  • Platform Version: 8.0.8
  • Code Snippets/Error Messages/Supporting Details/Screenshots:

I’m implementing authentication for our own API using JWT. I’ve created an Auth0 API for this, and an Auth0 application that’s authorised to use it. Now, I’ve got the token validation/verification working:

public function verify(string $jwt): array
{
    $token = new Token(
        configuration: $this->configuration,
        jwt: $jwt,
    );

    return $token
        ->verify()
        ->validate()
        ->toArray()
    ;
}

However, the configuration requires a client id/secret. Both are unknown (afaik) when you only have a JWT passed in the Authorization header of a request. For now I only have 1 application that authenticates this way, but the idea was that when we open up our API for external clients, we would create an Auth0 application for each client.

My question is: how do I verify a token when I don’t know what client it’s for?

Hi @p.kruithof

I am not sure where client ID/secret is required in PHP. It is not required to validate an access token. See: https://auth0.com/docs/security/tokens/access-tokens/validate-access-tokens

Basically, you need to get the signature verification key and validate the signature, that it is well formed, and that certain fields (like issuer, expiration etc.) are valid.

John

2 Likes

Hi John, thanks for the quick response. Based on your answer, I dug into the sdk source some more and found that the client secret was only needed when using the HS256 signing algorithm (which we don’t use), so I was mistaken in that. The other thing was that for this use case, the SdkConfiguration that I used had no strategy key defined, which defaults to webapp, when instead it should be api. This way client_id is also not required anymore.

So that takes care of the problem, thanks! Maybe this post can help someone else out later with the same problem.

One last question: are the verify() and validate() calls enough to perform the checks you mentioned?

Hey @p.kruithof :wave: Looks good, verify() and validate() are all you’ll need there. It sounds like you’re working with Access Tokens rather than ID Tokens, right? If so, be sure to set the type during Token initialization to Auth0\SDK\Token::TYPE_TOKEN as it defaults to TYPE_ID_TOKEN. The validation checks are slightly different between the two.

Ah, I did not know that. Yes we do use access tokens, so I just changed that, thanks!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.