Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The right way to verify JWT (JWS) on server with NextAuth #12675

Open
inthegreenwild opened this issue Feb 19, 2025 · 0 comments
Open

The right way to verify JWT (JWS) on server with NextAuth #12675

inthegreenwild opened this issue Feb 19, 2025 · 0 comments
Labels
triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.

Comments

@inthegreenwild
Copy link

inthegreenwild commented Feb 19, 2025
edited
Loading

What is the improvement or update you wish to see?

I am using auth0 as a provider to get a JWS and store that on the user session. I want to verify that the token sent back with requests from my frontend is still valid (it should not be expired and should also be verified against the issuer/audience).

The documentation mentions the getToken function as a helper to verify and decode the JWT. It appears that this will verify that the token was issued by my server which has the auth endpoint - but it would not verify other things based on the JWKS endpoint of my auth0 client. So I still need to check the expiration and verify the issuer/audience on my end correct?

I have something like the following code set up using the jose library:

import { createRemoteJWKSet, jwtVerify } from 'jose';

...
export default async function handler(req, res) {
  const { access_token } = await getToken({ req });
 

 const JWKS = createRemoteJWKSet(new URL(wellKnownEndpoint));
 const { payload, protectedHeader } = await jwtVerify(access_token, JWKS, {
        issuer: '', audience: '', algorithms: [''] 
  })
}

Just want to make sure I am understanding the getToken function correctly

Is there any context that might help us understand?

Help understanding how to properly verify JWT when using auth0 provider

Does the docs page already exist? Please link to it.

https://next-auth.js.org/configuration/options#jwt-helper
@inthegreenwild inthegreenwild added the triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime. label Feb 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage Unseen or unconfirmed by a maintainer yet. Provide extra information in the meantime.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@inthegreenwild