I’ve inherited a Node JS app, which sets about verifying an Auth0 auth token. It requires jsonwebtoken and jwks-rsa. In the call to jwks-rsa client .getSigningKey it has a hard-coded Key ID. Where does that Key ID come from? Is it accessible in the auth0.com GUI? Is it risky to have that hard-coded in source code going into a code repository?
If I understand right, no this shouldn’t be hard coded. See the docs here:
Thanks for your reply. I looked over the docs. I guess the answer to my question on where the Key ID comes from is that Auth0 creates it with the account. It just a way to index into a JSON array returned from the JWKS endpoint. Right now, there is only one key returned in the array, but the docs say:
Currently, Auth0 only supports a single JWK for signing; however, it is important to assume this endpoint could contain multiple JWKs
So, I guess the Key ID is important to reference into this array that may contain multiple key information. I see this key is a public key which anyone can retrieve from the endpoint without authentication. It is a way to verify that JWT came from Auth0.
So, I understand that the only way to obtain the Key ID today is to look at what is returned from the JWKS and use the sole Key ID returned. I don’t know how this will resolve in the future if there are multiple signing keys. Which one is the right one?
And, so the Key ID seems reasonable to hard-code, because, hopefully Auth0 is not changing that. You could rotate the actual private/public keys at any point, so we keep pulling the current public key from the JWKS endpoint.
Incidentally, the documentation for jwks-rsa shows the code with the Key ID hard coding. https://www.npmjs.com/package/jwks-rsa .
Note, I have written a lot here that was not found in the Auth0 documentation. It might help others if your company would document this.