getting a JWT access token using audience parameter
272 views
Skip to first unread message
Mark Nuttall-Smith
Nov 10, 2018, 9:19:06 AM11/10/18
to dex-dev
Hi,
I'm investigating using Dex+LDAP/AD as a replacement for an existing Auth0 set up.
As per the Auth0 recommendations, we use access token to secure API's rather than ID Tokens. Including the audience URL parameter to the /authorize endpoint causes Auth0 to return a JWT access token valid for this API ("aud" field set)
My question is - does Dex work in the same way? I can't see any way to set the audience parameter in the example-app code.
Thanks, Mark
Eric Chiang
Nov 12, 2018, 11:00:58 AM11/12/18
to marknutt...@gmail.com, dex...@googlegroups.com
The audience ("aud") claim of the ID token is always the client ID
that logged in the user (with a few exceptions[1]). If you're using a
public IdP like Google, you want to check "aud" to ensure a trusted
client logged in the user instead of some other client also registered
with Google.
Dex doesn't use access tokens because it doesn't have an API to
interact with. Is just returns a random string.
I think that warning is specific to Auth0 (what access tokens contain
isn't standardized). The core concern when using any kind of token
authentication is that the remote endpoint gets a copy of the token
and can use it to impersonate you. If you're using tokens to
authenticate, ensure that they're scoped to the endpoint your
accessing, and/or that you trust that endpoint.
[1] https://github.com/dexidp/dex/blob/master/Documentation/custom-scopes-claims-clients.md#cross-client-trust-and-authorized-party
> --
> You received this message because you are subscribed to the Google Groups "dex-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dex-dev+u...@googlegroups.com.
> To post to this group, send email to dex...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dex-dev/3acb72a8-0748-43b5-a720-8432381d8edd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
that logged in the user (with a few exceptions[1]). If you're using a
public IdP like Google, you want to check "aud" to ensure a trusted
client logged in the user instead of some other client also registered
with Google.
Dex doesn't use access tokens because it doesn't have an API to
interact with. Is just returns a random string.
I think that warning is specific to Auth0 (what access tokens contain
isn't standardized). The core concern when using any kind of token
authentication is that the remote endpoint gets a copy of the token
and can use it to impersonate you. If you're using tokens to
authenticate, ensure that they're scoped to the endpoint your
accessing, and/or that you trust that endpoint.
[1] https://github.com/dexidp/dex/blob/master/Documentation/custom-scopes-claims-clients.md#cross-client-trust-and-authorized-party
> You received this message because you are subscribed to the Google Groups "dex-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dex-dev+u...@googlegroups.com.
> To post to this group, send email to dex...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/dex-dev/3acb72a8-0748-43b5-a720-8432381d8edd%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages