How to verify that Auth0 token was sent by correct application?

Question

I am having a FE application that generates JWT token using Auth0. This token is then sent to my BE API. I am curious how to make sure that the token sent to my API was created by my FE application. I know I can check the aud claim, but AFAIK any application can set up any audience Auth0 just checks whether such API exists. So anyone in my organization can just fake the audience :(.

I was thinking about checking the azp claim, however, there does not seem to be support for this in the jsonwebtoken library.

Am I missing something?

Thanks

this has multiple answers here: https://stackoverflow.com/questions/47119043/verifying-auth0-jwt-throws-invalid-algorigthm/71564958#71564958 — Akber Iqbal, Mar 21 '22 at 22:39

score 0 · Answer 1 · answered Mar 08 '21 at 11:42

0

Although the library does not have an option to check the azp claim, you can use the callback function to verify the claim yourself.

jwt.verify(token, 'shhhhh', function(err, decoded) {
   // Called after verifying signature, issuer, audience ...
   if (decoded.azp === 'FE_Client_ID') { 
        console.log('Validated !'); 
   }
   else {
        console.log('Invalid Client Id');
   }
});

answered Mar 08 '21 at 11:42

SpartanX1

201
2
8

that looks really promising I will have a look whether I can do something about it – Marian Bazalik Mar 19 '21 at 12:44

How to verify that Auth0 token was sent by correct application?

1 Answers1