Where are jwks key IDs obtained from - anywhere in the auth0 GUI?

I’ve inherited a Node JS app, which sets about verifying an Auth0 auth token. It requires jsonwebtoken and jwks-rsa. In the call to jwks-rsa client .getSigningKey it has a hard-coded Key ID. Where does that Key ID come from? Is it accessible in the auth0.com GUI? Is it risky to have that hard-coded in source code going into a code repository?

Hi Kevin,

If I understand right, no this shouldn’t be hard coded. See the docs here:

John

John,

Thanks for your reply. I looked over the docs. I guess the answer to my question on where the Key ID comes from is that Auth0 creates it with the account. It just a way to index into a JSON array returned from the JWKS endpoint. Right now, there is only one key returned in the array, but the docs say:

Currently, Auth0 only supports a single JWK for signing; however, it is important to assume this endpoint could contain multiple JWKs

So, I guess the Key ID is important to reference into this array that may contain multiple key information. I see this key is a public key which anyone can retrieve from the endpoint without authentication. It is a way to verify that JWT came from Auth0.

So, I understand that the only way to obtain the Key ID today is to look at what is returned from the JWKS and use the sole Key ID returned. I don’t know how this will resolve in the future if there are multiple signing keys. Which one is the right one?

And, so the Key ID seems reasonable to hard-code, because, hopefully Auth0 is not changing that. You could rotate the actual private/public keys at any point, so we keep pulling the current public key from the JWKS endpoint.

Incidentally, the documentation for jwks-rsa shows the code with the Key ID hard coding. https://www.npmjs.com/package/jwks-rsa .

Note, I have written a lot here that was not found in the Auth0 documentation. It might help others if your company would document this.