Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 0af9b08

Browse files
lbalmacedalbalmaceda
committed
add access token validation guidance for organizations
1 parent 07e4b67 commit 0af9b08

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

README.rst

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -175,6 +175,37 @@ The ID of the invitation and organization are available as query parameters on t
175175
organization='org_abc',
176176
invitation="invitation_123")
177177
178+
--------------------------------------
179+
Authorizing users from an Organization
180+
--------------------------------------
181+
182+
When this SDK is used in an API or Backend application, it would typically receive network requests with an Access Token coming from the client application. These tokens include information that is useful to determine whether the request is coming from an authorized individual.
183+
184+
Among checking for the Access Token's signature, expiration, and audience values, when a specific organization is expected it should also be checked against the value of the ``org_id`` claim. The snippet below attempts to illustrate how this verification could look like using the `PyJWT <https://pyjwt.readthedocs.io/en/latest/usage.html#encoding-decoding-tokens-with-rs256-rsa>`__ library. This dependency will take care of pulling the RS256 public key that was used by the server to sign the Access Token. It will also validate its signature, expiration, and the audience value. After the basic verification, get the ``org_id`` claim and check it against the expected value.
185+
186+
.. code-block:: python
187+
188+
import jwt # PyJWT
189+
from jwt import PyJWKClient
190+
191+
access_token = # access token from the request
192+
url = 'https://{YOUR AUTH0 DOMAIN}/.well-known/jwks.json'
193+
jwks_client = PyJWKClient(url)
194+
signing_key = jwks_client.get_signing_key_from_jwt(access_token)
195+
data = jwt.decode(
196+
access_token,
197+
signing_key.key,
198+
algorithms=['RS256'],
199+
audience='{YOUR API AUDIENCE}'
200+
)
201+
202+
organization = # expected organization ID
203+
if data['org_id'] != organization:
204+
raise Exception('Organization (org_id) claim mismatch')
205+
206+
# if this line is reached, validation is successful
207+
208+
178209
====================
179210
Management SDK Usage
180211
====================

0 commit comments

Comments
 (0)