Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TokenVerfier #243

Closed
StigKorsnes opened this issue Oct 5, 2020 · 4 comments
Closed

TokenVerfier #243

StigKorsnes opened this issue Oct 5, 2020 · 4 comments
Labels
question waiting for customer This issue is waiting for a response from the issue or PR author

Comments

@StigKorsnes
Copy link

StigKorsnes commented Oct 5, 2020
edited

Hi,
Is the TokenVerifier class only for use with id tokens? I see mostly TokenValidation error messagees referring to Id tokens in the code, but can not see why I would not want to validate claims for the access token also (i.e expiration). I have tested it on an access token, which work if I only have a single audience. If I have a list (say my api +/userinfo which is autmatically included when scope contains openid) it raises error in the #Audience section, and if I include only the one audience claim i asked for in GetToken.login() it will throw an error in the #Authorized party section.
So.. the feature request is the following:
Can I have a TokenVerifier that work with AccessTokens also, pretty please?
@lbalmaceda
Copy link
Contributor

@StigKorsnes Yes, it's meant to be used with ID tokens for now. The steps of the validation follow the OIDC specification. Verifying an access token has different steps. There is no short term plans to extend support for verifying access tokens.

Source: https://github.com/auth0/auth0-python#id-token-validation

@StigKorsnes
Copy link
Author

StigKorsnes commented Oct 13, 2020
edited

@lbalmaceda May I ask what the different steps are? I have been using the AsymmetricSignatureVerifier for signature verification, and wrote some extra validations along the lines of what is done in the TokenVerifier for iat exp and some others. Have I been consuming tokens under a false sense of security? I have also seen the python example from the docs, and can not see why you would not want include it in the SDK? For all of us writing API's this is kind of the key security measure. All other userinfo etc we can get backend from the managment api using client credentials. The other API`s auth0-react etc, do they not have access token validation for jwt's?

@lbalmaceda
Copy link
Contributor

There are SDKs focused on API access and authorization but there's no official auth0 python SDK for that. This SDK is an implementation of the Auth0 authentication and management APIs.

The checks you would want to do against an access token relate to the token signature (asserts token contents were not changed) and authorization level (audience / name of the API, scope granted to that person, etc). Check https://auth0.com/docs/tokens/access-tokens/validate-access-tokens

@lbalmaceda lbalmaceda added question waiting for customer This issue is waiting for a response from the issue or PR author labels Oct 30, 2020
@StigKorsnes
Copy link
Author

Well, scopes are kind of endpoint specific so does not belong here. My point is that it should validate the standard claims, like audience and expiry. You explicitly turn of all but the signature verifcation part to jwt.decode, while jwt decode natiively support some of them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question waiting for customer This issue is waiting for a response from the issue or PR author
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lbalmaceda @StigKorsnes