How does Auth0 API validate an access token?

0
votes

Everything is working except for what happens between Step 6 and Step 7. When my backend receives the access token from the browser, how does the backend validate that access token? I assume, that the backend doesn’t make a call to Auth0 to validate that token because there is no arrow back to Auth0 after Step 6. So, how does the backend know that the token it received is valid?

I have an SPA and a API which I would like to follow this flow: https://auth0.com/docs/flows/concepts/implicit

And also this document how to API validates the Access Token?

2
authorizationauth0

2 Answers

0
votes

Between step 6 and 7 of the doc you referenced it dives into your backend validating this Access token. Depending on your backend there are a large number of quickstarts to help you gain traction moving forward. I will link the docs below along with Auth0 video training on identity to help solidify a great foundation when tackling the Authentication subject. Please let me know if this helps you!

0
votes

The following is the standard way to validate the access token.

  • Check access token is well-formed.

  • Validates the signature which is used to sing the access token. In that case, backend application perform an API call to JWKS endpoint to retrieve the public key https://auth0.com/docs/jwks

  • Validates the standard claims

  • Validates the permissions(scopes)

More Details can be found here:

https://auth0.com/docs/api-auth/tutorials/verify-access-token

https://auth0.com/blog/navigating-rs256-and-jwks/

If you are using any auth0 SDK, it performs the validation as described.

Additionally, ID token is also required to be validated in the frontend client. https://auth0.com/docs/tokens/guides/id-token/validate-id-token