Auth0 Home Blog Docs

Verifying RS256 token using downloaded certificate

token
jwks
rs256
certificate

#1

I am able to successfully verify a RS256 token using the public key I extracted from the certificate which I downloaded on the clients page then I just passed that in my app as the secret. I am aware that the standard for verifying RS256 tokens should be through the jwks endpoint. What are the cons of how I am currently verifying my tokens?


#2

The most notable difference between hardcoding the public key versus obtaining it dynamically would be that in case of key rotation the dynamic approach would not imply any change on the client applications, while the other approach would indeed require manual intervention.


#3

How often do key rotations happen? Are they triggered by something? Or is just random?


#4

How often do key rotations happen? Are they triggered by something? Or is just random?


#5

At this time, key rotations would only happen by your request or at most in very extreme situations as part of responding to a security incident. In conclusion, unless you request them which would mean it would be coordinated with you they are currently very unlikely to happen.


#6

Alright, I am now convinced. Will implement verifying through the jwks endpoint now. Thanks


#7

Hi,

out of curiosity, could you elaborate on how i can verify token using downloaded certificate? I mean via code.


#8

What we did was read tje contents of the certificate file and set it as the jwt secret.


#9