Aud(ience) is not verified
spawn-guy opened this issue · comments
i can't seem to find an audience (and the rest params) verifier.
it seems that only signature is verified
i see a decode
method that should do all that and get the needed information back here https://github.com/mpdavis/python-jose/blob/master/jose/jwt.py#L57
can this be used?
@spawn-guy Thank you for your issue and proposing solution.
This is fixed at #45
@tokusumi Hi! I just upgraded to 0.4.0. I'm using auth0 and I see that customAPI
is now a required parameter to Auth0()
.
I understand this will essentially validate the client ID that is trying to authenticate. Now, what if there are multiple valid client IDs we want to authenticate against?
One scenario I could see: An android app, an iOS app and an electron app all three with different client IDs, trying to auth against the same endpoint.
This is a bit confusing and not made clear in the docs (it just says "audience"). WDYT?
@jleclanche you need to validate against server keys, not the client keys.
Client gives you a token, and server validates that it can accept the token. The token is valid an the token allows access to this server.
@spawn-guy Thanks for the pointers. I think this could use some examples for auth0; I will try to figure out how to do it properly.