JWT Security In OAuth 2.0 And OpenID Connect
I have decided to jump on the bandwaggon and start using OAuth 2.0 and OpenID Connect for the authentication and authorization of my next project, but I'm struggling to understand how a JWT can be secure.
I am using Angular 8 for the front end with a node.js backend and Auth0 as my the identity service provider (the wrong terminology, I know. Forgotten it.)
I have watched two or three PluralSight courses on these subjects but none really go over using the JWT on a node.js back end, mostly they concentrate on the .NET stack which takes a lot of the labour out of it I guess.
My problem is this: how can I be sure that the JWT token sent to my API is one that comes from Auth0? I understand that the token has a signature, and I imagine Auth0 have some private secret they use to sign the JWT, but what is to prevent some malevolent entity creating a JWT with exactly the same content and signing with a different secret and sending that to my API? In the .NET samples I've seen, I see no mention of checking that the signature's secret corresponds to Auth0's. What checks are necessary on the API — .NET, node.js or otherwise — to ensure the JWT is authentic?
And how would this work with nodejs?
I'm not sure if I understood you correctly or what, but JWT is signed and verified by the same secret (if HMAC algo is used), so the answer to your first question would be:
- if it's tampered, you will be notified during validation, because signing with a different secret is what gives it away, that the token has been compromised.
Not sure what libraries are you using, but for Node.js, the jsonwebtoken package has a jwt.verify(token, secret) function, that takes in your token and secret values as arguments. This is basically all you need and can have for verification.
- → Maximum call stack exceeded when instantiating class inside of a module
- → Browserify api: how to pass advanced option to script
- → Node.js Passing object from server.js to external modules?
- → gulp-rename makes copies, but does not replace
- → requiring RX.js in node.js
- → Remove an ObjectId from an array of objectId
- → Can not connect to Redis
- → React: How to publish page on server using React-starter-kit
- → Express - better pattern for passing data between middleware functions
- → Can't get plotly + node.js to stream data coming through POST requests
- → IsGenerator implementation
- → Async/Await not waiting
- → (Socket.io on nodejs) Updating div with mysql data stops without showing error