Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b4e8e77

Browse files
lbalmacedalbalmaceda
committed
amend the ID token validation section
1 parent 78c027f commit b4e8e77

File tree

1 file changed

+24
-39
lines changed

1 file changed

+24
-39
lines changed

README.rst

Lines changed: 24 additions & 39 deletions
Original file line numberDiff line numberDiff line change
@@ -67,58 +67,43 @@ If you need to authenticate a user using their email and password, you can use t
6767
ID Token validation
6868
===================
6969
70-
As the result of the authentication and among the credentials received, an ``id_token``
71-
might be present. This artifact contains information associated to the user that has
72-
just logged in, provided the scope used contained ``openid``. You can read more
73-
about ID tokens `here <https://auth0.com/docs/tokens/concepts/id-tokens>`_.
74-
75-
Before you access their contents, you must first verify the ID token to ensure its
76-
contents has not been tampered with and that is meant for your application to consume.
77-
78-
For that purpose you use the ``TokenVerifier`` class, which requires to be passed
79-
a few options:
80-
* A ``SignatureVerifier`` instance, in charge of checking the expected algorithm
81-
and signature.
82-
* The expected issuer value, typically matches the Auth0 domain prefixed with
83-
``https://`` and suffixed with ``/``.
84-
* The expected audience value, typically matches the Auth0 application client ID.
85-
86-
You choose the signature verifier depending on the signing algorithm used by your Auth0 application.
87-
You can check its value under ``Advanced settings | OAuth | JsonWebToken Signature Algorithm``.
88-
* For symmetric algorithms like "HS256", use the `SymmetricSignatureVerifier` class passing
89-
as secret the client secret value for your Auth0 application.
90-
* For asymmetric algorithms like "RS256", use the `AsymmetricSignatureVerifier` class passing
91-
the public URL where the certificates for the public keys can be found.
92-
93-
Auth0 hosts Public Keys inside the ``.well-known`` directory of your tenant's domain.
94-
That URL looks like this: ``https://myaccount.auth0.com/.well-known/jwks.json``.
95-
After replacing `myaccount.auth0.com` with your tenant's domain, you should be able
96-
to access your tenant's public keys.
97-
98-
It is recommended that you make use of asymmetric signing algorithms as their keys are easier
99-
to rotate in case they need to be revoked.
100-
101-
With all in place, the next snippets shows how to verify an RS256 signed ID token:
70+
Upon successful authentication, the credentials received may include an ``id_token``, if the authentication request contained the ``openid`` scope. The ``id_token`` contains information associated with the authenticated user. You can read more about ID tokens `here <https://auth0.com/docs/tokens/concepts/id-tokens>`_.
10271
103-
.. code-block:: python
72+
Before you access its contents, you must verify that the ID token has not been tampered with and that it is meant for your application to consume. The ``TokenVerifier`` class can be used to perform this verification.
10473
105-
from auth0.v3.authentication.token_verifier import TokenVerifier, AsymmetricSignatureVerifier
74+
To create a ``TokenVerifier``, the following arguments are required:
75+
* A ``SignatureVerifier`` instance, which is responsible for verifying the token's algorithm name and signature.
76+
* The expected issuer value, which typically matches the Auth0 domain prefixed with ``https://`` and suffixed with ``/``.
77+
* The expected audience value, which typically matches the Auth0 application client ID.
78+
79+
The type of ``SignatureVerifier`` used depends upon the signing algorithm used by your Auth0 application. You can view this value in your application settings under ``Advanced settings | OAuth | JsonWebToken Signature Algorithm``. Auth0 recommends using the RS256 asymmetric signing algorithm. You can read more about signing algorithms `here <https://auth0.com/docs/tokens/signing-algorithms>`_.
80+
81+
For asymmetric algorithms like RS256, use the ``AsymmetricSignatureVerifier`` class, passing
82+
the public URL where the certificates for the public keys can be found. This will typically be your Auth0 domain with the ``/.well-known/jwks.json`` path appended to it. For example, ``https://your-domain.auth0.com/.well-known/jwks.json``.
83+
84+
For symmetric algorithms like HS256, use the ``SymmetricSignatureVerifier`` class, passing the value of the client secret of your Auth0 application.
10685
86+
The following example demonstrates the verification of an ID token signed with the RS256 signing algorithm:
87+
88+
.. code-block:: python
89+
90+
from auth0.v3.authentication.token_verifier import TokenVerifier, AsymmetricSignatureVerifier
91+
10792
domain = 'myaccount.auth0.com'
10893
client_id = 'exampleid'
109-
94+
11095
# After authenticating
11196
id_token = auth_result['id_token']
112-
97+
11398
jwks_url = 'https://{}/.well-known/jwks.json'.format(domain)
11499
issuer = 'https://{}/'.format(domain)
115-
100+
116101
sv = AsymmetricSignatureVerifier(jwks_url) # Reusable instance
117102
tv = TokenVerifier(signature_verifier=sv, issuer=issuer, audience=client_id)
118103
tv.verify(id_token)
104+
105+
If the token verification fails, a ``TokenValidationError`` will be raised. In that scenario, the ID token should be deemed invalid and its contents should not be trusted.
119106
120-
Provided something goes wrong, a ``TokenValidationError`` will be raised. In this
121-
scenario, the ID token should be deemed invalid and its contents not be trusted.
122107
123108
====================
124109
Management SDK Usage

0 commit comments

Comments
 (0)