I am new to Auth0 and not terribly knowledgeable about JWT.
Assuming I already have an (RS256) access token returned by Auth0.
On the server, I would now like to verify the token.
To verify the token, I need to use my application’s public key. From what I understand, I can attain this public key a few different ways:
- I could download the public key from Settings Show Advanced Settings DOWNLOAD CERTIFICATE
- I could use a JWK library which, based on data encoded in the access token, knows to fetch the JWK from https://DOMAIN.eu.auth0.com/.well-known/jwks.json via an HTTP request (and, optionally, cache it)
It seems like Auth0 encourages users to use JWK, but what are the practical benefits? I read the Auth0 documentation but unfortunately, I am still unclear.
I am specifically curious why libraries like
express-jwks fetch the data from https://DOMAIN.eu.auth0.com/.well-known/jwks.json and, in many cases, temporarily cache it. Is this purely for convenience?
In my case, I am intending to deploy my code as an AWS Lambda function. I am new to this technology as well, but due to the stateless nature of cloud functions, I don’t expect I can cache the JWK easily. In that case, would it make sense to fetch the JWK with each auth request? Surely there must be an upside to justify this; otherwise, I could simply store the public key locally as a PEM?
Thank you for taking the time to read my question.