Open Artenuvielle opened 1 year ago
Thanks for the feedback @Artenuvielle. As this library is primarily concerned with application login, and that access tokens should be validated by the API they're intended for, we have not so far included a validator that validates access tokens. Are you in a scenario where you're using this SDK also on an application that provides an API protected by access tokens?
Late to the party here but I can say that I am working with an app that uses this SDK for application login and also has a protected API we want to use access tokens for. Does Auth0 offer another package for use with machine to machine clients? We are trying to use Auth0 to unifify the user base and authorization logic of three different applications, one built with Laravel and 2 built with Rails. The Laravel Auth0 package supports api authorization via access token, so I was hoping the recommended package for Rails did the same
@ajoy39 Unfortunately today we don't have a built-in way to do this with one of our SDKs, and recognise that it is a gap when compared to some of our other SDKs. However, please check out this quickstart that shows one way to do API authorization with Auth0 in Rails (the quickstart uses the jwt
gem).
Checklist
Describe the problem you'd like to have solved
The
verify
function in classOmniauth::Auth0::JWTValidator
only validates checks that client_id is included in the audience of the given token. This works for validation of id token, but not for access token. Users may want to manually verify any tokens since this class is publicly accessible.Describe the ideal solution
It could be useful to either have 2 functions (e.g.
verifyIdToken
and a more generalverify
) or set the client_id as validation parameters when calling verify on id tokens.Alternatives and current workarounds
Currently one can only use the
decode
function of said class and verify claims on their own.Additional context
No response