RE: Manually verifying a JWT

@dan How can I view RS256 secret?

It says The private key is not viewable

@dan Discard my comment above regarding custom claims for JWT.

I found your post: https://fusionauth.io/community/forum/topic/65/how-does-one-add-custom-claims-to-the-jwt-issued-by-the-oauth-flow?_=1672715552700

Which should guide me through next steps. Thanks

@dan
Okay I can give it a go.

But, trying to understand what is the difference in doing this webhook way vs doing following steps:

On every client request to backend service:

1. Call GET: api/jwt/validate or can implement manual validations (when no-claims scenario, only need to check signature and expiry)
2. Call GET api/user with valid jwt from step 1. Which returns a response with user.active: false for deactivated user

@dan I am passing the access token to the introspect endpoint, as you mentioned it is always returning active.

What I actually trying to do is to have the access token revoked if the user account is deactivated.

For my scenario, I am using access token with longer expiry but also wanted to revoke those token if a user is deactivated before that token is expired.

@dan

Can you be able to help me understand these flows:

I have two users parent-user and child-user

1. child-user logged in and received a valid token with lengthy expiry

2. parent-user deactivated child-user using endpoint DELETE: /api/user which successfully locked the user and showing locked in fusionauth UI

3. But, when child-user requested data using token issued in step 1, validate endpoint GET: api/jwt/validate endpoint is not invalidating the user. And returning success response back. When i checked user, applications are present in registrations.

Is this a bug? How can i invalidate a locked user properly??

EDIT:

I have looked into your post: https://fusionauth.io/community/forum/topic/49/how-should-i-validate-access-tokens

And, make sense /api/jwt/validate is just validating expiry, signature and claims. But, when I hit /oauth2/introspect endpoint I am still getting user status active

{
	"active": true,
	"applicationId": "<appid-uuid>",
	"aud": "<appid-uuid>",
	"auth_time": 1673234995,
	"authenticationType": "PASSWORD",
	"email": "myuser@mailinator.com",
	"email_verified": true,
	"exp": 1674444595,
	"iat": 1673234995,
	"iss": "auth-dev.mailinator.com",
	"jti": "jti-uuid",
	"roles": [],
	"scope": "offline_access",
	"sub": "<user-uuid>",
	"tid": "<t-uuid>"
}

@dan Discard my comment above regarding custom claims for JWT.

I found your post: https://fusionauth.io/community/forum/topic/65/how-does-one-add-custom-claims-to-the-jwt-issued-by-the-oauth-flow?_=1672715552700

Which should guide me through next steps. Thanks

@dan Now I am able to validate the token using RS256.
But, trying to figure out how can I add a user status ACTIVE or INACTIVE to jwt token when generated first time by fusionauth.

I previously used auth0 where we can add a js script like lambda functions to add custom parameters to jwt. Is something I could do with fusionauth?

@dan I forgot how I created my key at first place, imported a new one and using private key which I generated.

@dan How can I view RS256 secret?

It says The private key is not viewable