New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TokenVerfier #243
Comments
@StigKorsnes Yes, it's meant to be used with ID tokens for now. The steps of the validation follow the OIDC specification. Verifying an access token has different steps. There is no short term plans to extend support for verifying access tokens. Source: https://github.com/auth0/auth0-python#id-token-validation |
@lbalmaceda May I ask what the different steps are? I have been using the AsymmetricSignatureVerifier for signature verification, and wrote some extra validations along the lines of what is done in the TokenVerifier for iat exp and some others. Have I been consuming tokens under a false sense of security? I have also seen the python example from the docs, and can not see why you would not want include it in the SDK? For all of us writing API's this is kind of the key security measure. All other userinfo etc we can get backend from the managment api using client credentials. The other API`s auth0-react etc, do they not have access token validation for jwt's? |
There are SDKs focused on API access and authorization but there's no official auth0 python SDK for that. This SDK is an implementation of the Auth0 authentication and management APIs. The checks you would want to do against an access token relate to the token signature (asserts token contents were not changed) and authorization level (audience / name of the API, scope granted to that person, etc). Check https://auth0.com/docs/tokens/access-tokens/validate-access-tokens |
Well, scopes are kind of endpoint specific so does not belong here. My point is that it should validate the standard claims, like audience and expiry. You explicitly turn of all but the signature verifcation part to jwt.decode, while jwt decode natiively support some of them. |
Hi,
Is the TokenVerifier class only for use with id tokens? I see mostly TokenValidation error messagees referring to Id tokens in the code, but can not see why I would not want to validate claims for the access token also (i.e expiration). I have tested it on an access token, which work if I only have a single audience. If I have a list (say my api +/userinfo which is autmatically included when scope contains openid) it raises error in the #Audience section, and if I include only the one audience claim i asked for in GetToken.login() it will throw an error in the #Authorized party section.
So.. the feature request is the following:
Can I have a TokenVerifier that work with AccessTokens also, pretty please?
The text was updated successfully, but these errors were encountered: