@@ -156,6 +156,63 @@ For example:
156156
157157 s.login(client_id = ' ...' access_token = ' ...' connection = ' facebook'
158158
159+ ===================
160+ ID Token validation
161+ ===================
162+
163+ As the result of the authentication and among the credentials received, an ``id_token ``
164+ might be present. This artifact contains information associated to the user that has
165+ just logged in, provided the scope used contained ``openid ``. You can read more
166+ about ID tokens `here <https://auth0.com/docs/tokens/concepts/id-tokens >`_.
167+
168+ Before you access their contents, you must first verify the ID token to ensure its
169+ contents has not been tampered with and that is meant for your application to consume.
170+
171+ For that purpose you use the ``TokenVerifier `` class, which requires to be passed
172+ a few options:
173+ * A ``SignatureVerifier `` instance, in charge of checking the expected algorithm
174+ and signature.
175+ * The expected issuer value, typically matches the Auth0 domain prefixed with
176+ ``https:// `` and suffixed with ``/ ``.
177+ * The expected audience value, typically matches the Auth0 application client ID.
178+
179+ You choose the signature verifier depending on the signing algorithm used by your Auth0 application.
180+ You can check its value under ``Advanced settings | OAuth | JsonWebToken Signature Algorithm ``.
181+ * For symmetric algorithms like "HS256", use the `SymmetricSignatureVerifier ` class passing
182+ as secret the client secret value for your Auth0 application.
183+ * For asymmetric algorithms like "RS256", use the `AsymmetricSignatureVerifier ` class passing
184+ the public URL where the certificates for the public keys can be found.
185+
186+ Auth0 hosts Public Keys inside the ``.well-known `` directory of your tenant's domain.
187+ That URL looks like this: ``https://myaccount.auth0.com/.well-known/jwks.json ``.
188+ After replacing `myaccount.auth0.com ` with your tenant's domain, you should be able
189+ to access your tenant's public keys.
190+
191+ It is recommended that you make use of asymmetric signing algorithms as their keys are easier
192+ to rotate in case they need to be revoked.
193+
194+ With all in place, the next snippets shows how to verify an RS256 signed ID token:
195+
196+ .. code-block :: python
197+
198+ from auth0.v3.authentication.token_verifier import TokenVerifier, AsymmetricSignatureVerifier
199+
200+ domain = ' myaccount.auth0.com'
201+ client_id = ' exampleid'
202+
203+ # After authenticating
204+ id_token = auth_result[' id_token'
205+
206+ jwks_url = ' https://{} /.well-known/jwks.json'
207+ issuer = ' https://{} /'
208+
209+ sv = AsymmetricSignatureVerifier(jwks_url) # Reusable instance
210+ tv = TokenVerifier(signature_verifier = sv, issuer = issuer, audience = client_id)
211+ tv.verify(id_token)
212+
213+ TokenValidationError `` will be raised. In this
214+ scenario, the ID token should be deemed invalid and its contents not be trusted.
215+
159216Available Management Endpoints
160217==============================
161218
0 commit comments