fastapi-cloudauth icon indicating copy to clipboard operation
fastapi-cloudauth copied to clipboard
verified publisher icon tokusumi

Aud(ience) is not verified

Open spawn-guy opened this issue 4 years ago • 4 comments

i can't seem to find an audience (and the rest params) verifier. it seems that only signature is verified

i see a decode method that should do all that and get the needed information back here https://github.com/mpdavis/python-jose/blob/master/jose/jwt.py#L57

can this be used?

spawn-guy avatar May 11 '21 15:05 spawn-guy

@spawn-guy Thank you for your issue and proposing solution. This is fixed at #45

tokusumi avatar May 31 '21 23:05 tokusumi

@tokusumi Hi! I just upgraded to 0.4.0. I'm using auth0 and I see that customAPI is now a required parameter to Auth0().

I understand this will essentially validate the client ID that is trying to authenticate. Now, what if there are multiple valid client IDs we want to authenticate against?

One scenario I could see: An android app, an iOS app and an electron app all three with different client IDs, trying to auth against the same endpoint.

This is a bit confusing and not made clear in the docs (it just says "audience"). WDYT?

jleclanche avatar Jul 12 '21 21:07 jleclanche

@jleclanche you need to validate against server keys, not the client keys.

Client gives you a token, and server validates that it can accept the token. The token is valid an the token allows access to this server.

spawn-guy avatar Jul 13 '21 05:07 spawn-guy

@spawn-guy Thanks for the pointers. I think this could use some examples for auth0; I will try to figure out how to do it properly.

jleclanche avatar Jul 18 '21 10:07 jleclanche