tokusumi
commented
3 years ago @spawn-guy Thank you for your issue and proposing solution. This is fixed at #45
Open spawn-guy opened 3 years ago
tokusumi
commented
3 years ago @spawn-guy Thank you for your issue and proposing solution. This is fixed at #45
jleclanche
commented
3 years ago @tokusumi Hi! I just upgraded to 0.4.0. I'm using auth0 and I see that customAPI is now a required parameter to Auth0().
I understand this will essentially validate the client ID that is trying to authenticate. Now, what if there are multiple valid client IDs we want to authenticate against?
One scenario I could see: An android app, an iOS app and an electron app all three with different client IDs, trying to auth against the same endpoint.
This is a bit confusing and not made clear in the docs (it just says "audience"). WDYT?
spawn-guy
commented
3 years ago @jleclanche you need to validate against server keys, not the client keys.
Client gives you a token, and server validates that it can accept the token. The token is valid an the token allows access to this server.
jleclanche
commented
2 years ago @spawn-guy Thanks for the pointers. I think this could use some examples for auth0; I will try to figure out how to do it properly.
i can't seem to find an audience (and the rest params) verifier. it seems that only signature is verified
i see a
decodemethod that should do all that and get the needed information back here https://github.com/mpdavis/python-jose/blob/master/jose/jwt.py#L57can this be used?