Hi, I saw a couple of other similar questions to mine in the community db but no answers. Hoping someone can shed some light.
I have a client app that’s using the node js library to authenticate a user. It receives and stores the resulting
id_token. Our Auth0 application is set up to use RS256. The client sends our python service the
id_token in the
Authorization header. The service is calling
jwt.decode to verify the
id_token, however it appears to be failing on the
at_hash which is included in the claims.
If I specify the
access_token argument to
jwt.decode, hard-coding it to the value I manually stole from the client after authing, it all works perfectly. However, that means that the client now has to send the service both the
id_token and the
access_token. My (admittedly hazy) understanding is that it’s using the
access_token to sign the
id_token, so sending them both across the wire seems counter-productive.
Is that accurate? How else can I validate the
at_hash successfully in a BE service, from a token created by a node app? Is it even necessary to verify the