Verify that the access token and id token is actually related to each other

How do I verify that an access token and a id-token is actually related?
I see that google has a hash of the access token related to the id token as a claim to be able to check that they are related to each other. Has Auth0 something similar?

I’m creating a auth proxy server for a load balancer, which re-directs and authorize with auth0 if the user tries to request a protected site through the load balancer.
It sets the current user Acess token and Id token as a cookie on the request to store the current user session. But without any way of verifying that the two are related to each other, the logged in user could impersonate as another user if they replace the id-token with another users valid id-token. Some claims of the id-token is then set on the http headers for the protected site to retrieve for HTTP header based authentication.

A way of stop using a id-token in the cookie headers could be retrieving the id-token from the /userinfo endpoint of each request but that wouldn’t scale because of an extra http request for each check if a site is protected. This could be solved by adding caching on the server side to avoid to many requests, or store the id-token on the server side to avoid exposing the possibility to manipulate the token but that would break the auth-proxy backend statelessness and thus would not scale as easily and complicate the solution to have a distributed backend cache.

Any advice?


I am assuming this is somewhat related to your other topic.

If you get a JWT rather than an opaque token, you can verify the user of the token via the sub claim.

See JWT claims here:

Hope this helps!


1 Like

Thank you! Seems like JWT access token is the answer for both my problems with validating access token and comparing id token to access token.

1 Like

Happy to help. Let us know if you have any other questions.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.