Where do I get the JWT token when using lock and the hosted pages?

I have the hosted pages setup and using mod_auth_openidc with Apache2 to handle the openid portion of auth.

That process works. I can use Google to authenticate but I don’t have a JWT token.

Where the heck is the JWT token? I don’t see it in any part of the JSON , headers, or cookies going over the wire.

What I want to do is store it in a cookie and then haproxy will validate the JWT as part of the web application.

I’m assuming that by JWT token you mean the ID token issued as part of an OIDC authentication process. The reason I mention this is that when doing an OAuth 2.0 authorization request for a custom API you configured at Auth0 the issued access token can also use the JWT format.

The ID token will be returned either as part of the authorization endpoint response when doing an implicit grant or as part of the token endpoint response for authorization code grant or resource owner password credentials grant. For the token endpoint is part of the response body which is returned as JSON while for the authorization endpoint it depends on the response mode being used.

In conclusion, there is not enough information to troubleshoot why you don’t receive an ID token if that is indeed the JWT token you’re mentioning; you should update your question with additional information about grants being used, the parameter configuration and/or the mod_auth_openidcconfiguration which can also provide equivalent information although I confess I never used that one so raw OIDC/OAuth 2.0 parameter values will be easier for me to process.