zoukankan      html  css  js  c++  java
  • [Security] Verifying an Auth0 token

    Auth0 returns a JWT token

    • JSON that contains information about a user
    • No need to send a request to Auth0 to verify JWT
    • What pervents anyone to generate it?

    The JWT token return by Auth0 are signed by Auth0 as well.

    • We can just verify the signature

    OAuth allows to use one of the two algorithms that it can use to sign a JWT token:

    Symmetric (HS256)

    • The same key for signing a token (by Auth0) and verifying a token (by our application)
    • We need to store a key securely
    • If this key leaks, an attacker can sign fradulent JWT token

    Asymmetric (RS256)

    • Different keys are used for signing and verifying a token
    • We don't need to store the key
    • Auth0 is responsible for storing a token
    • We only get a sertificate to verify a token (Not signing)

    Symmetric Signing:

    • Auth0 use the secret to generate a toekn
    • Return a Signed token to client
    • Client send signed token to API Gateway
    • Api Gateway has to use the same secret to to validate the signed token to get Cerificate

    Asymmetric Signing:

    • Auth0 uses a Private key which only use for signing
    • Return the singed token to client
    • Client send signed token to API Gateway
    • We have a use a Cerificate to verify the singed token

    Here is a code snippet that can be used to verify a JWT token with Node.js:

    import { verify } from 'jsonwebtoken'
    
     const jwtToken = '...'
     const secret = '...'
    
     verify(jwt, secret)
     // If an exception is not thrown a JWT is valid

    Create an Application in Auth0

    • Create an application
  • 相关阅读:
    并行和并发
    怎样用第三方开源免费软件portecle从https站点上导出SSL的CA证书?
    我持续推动Rust语言支持Windows XP系统
    Android——4.2.2 文件系统文件夹分析
    hadoop(八)
    自己定义html中a标签的title提示tooltip
    多个返回 顶部的代码
    同学们,OpenCV出3.0了,速去围观!
    hdu1002
    好记性不如烂笔头(一)
  • 原文地址:https://www.cnblogs.com/Answer1215/p/14798866.html
Copyright © 2011-2022 走看看