Improve JWTValidator to also validate access tokens

[Artenuvielle]

Checklist

• I have looked into the Readme and the Examples, and have not found a suitable solution or answer.
• I have looked into the API documentation and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

The verify function in class Omniauth::Auth0::JWTValidator only validates checks that client_id is included in the audience of the given token. This works for validation of id token, but not for access token. Users may want to manually verify any tokens since this class is publicly accessible.

Describe the ideal solution

It could be useful to either have 2 functions (e.g. verifyIdToken and a more general verify) or set the client_id as validation parameters when calling verify on id tokens.

Alternatives and current workarounds

Currently one can only use the decode function of said class and verify claims on their own.

Additional context

No response

[stevehobbsdev]

Thanks for the feedback @Artenuvielle. As this library is primarily concerned with application login, and that access tokens should be validated by the API they're intended for, we have not so far included a validator that validates access tokens. Are you in a scenario where you're using this SDK also on an application that provides an API protected by access tokens?

[ajoy39]

Late to the party here but I can say that I am working with an app that uses this SDK for application login and also has a protected API we want to use access tokens for. Does Auth0 offer another package for use with machine to machine clients? We are trying to use Auth0 to unifify the user base and authorization logic of three different applications, one built with Laravel and 2 built with Rails. The Laravel Auth0 package supports api authorization via access token, so I was hoping the recommended package for Rails did the same

[stevehobbsdev]

@ajoy39 Unfortunately today we don't have a built-in way to do this with one of our SDKs, and recognise that it is a gap when compared to some of our other SDKs. However, please check out this quickstart that shows one way to do API authorization with Auth0 in Rails (the quickstart uses the jwt gem).