Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Guidance to download the Auth0 public key is problematic #2

Open
sandrinodimattia opened this issue Aug 5, 2020 · 1 comment
Open

Guidance to download the Auth0 public key is problematic #2

sandrinodimattia opened this issue Aug 5, 2020 · 1 comment
Labels
good first issue Good for newcomers

Comments

@sandrinodimattia
Copy link

I noticed you have an example using Auth0 which requires the user to download the public key and copy it to an environment variable.

This is problematic because Auth0 (and many other providers) support public key rotation which means that the key will change over time. Requiring customs to exactly time this event by reconfiguring their applications on that same moment is problematic and a bad practice.

I would suggest updating the examples to use a library that handles all of this automatically using the OIDC discovery endpoints, like this library: https://github.com/sandrinodimattia/serverless-jwt/tree/master/examples
@matuzalemsteles
Copy link
Member

@sandrinodimattia thanks, I'll take care of updating the example using the OIDC.

@matuzalemsteles matuzalemsteles added the good first issue Good for newcomers label Mar 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sandrinodimattia @matuzalemsteles