Verifying JWT provided by Kinde with PKCE extension
We are implementing kinde-auth-pkce-js in the front-end of our react application. We are able to login() with Kinde from client side and get hold of the JWT provided by Kinde by using
await kindeClient.getToken().
How do we verify the Kinde JWT, on the server, when the JWT is originally obtained client side via pkce?
The docs say we need code_verifier, code_challenge and code_challenge_method and we don't know where to obtain these values, server side1 Reply
My tech stack is a bit different (I don't know React unfortunately). I use Vue.js, Nuxt, and a .NET API. WIth Nuxt it is using universal rendering meaning it renders both on the backend and frontend. My Nuxt backend when it comes to APIs is just a proxy as the backend can access the token, whereas the frontend cannot. I'm good with that for a couple of reasons, the Kinde cookie is HttpOnly (which is a good thing from a security standpoint) and I also don't want the frontend to be able to access the auth token. The Nuxt proxy basically takes a request from the client and adds the JWT as a bearer token to pass through to my .NET API backend.
Now the bit where it might be relevant to you, is I also want to verify that the auth token is valid. What I do in the .NET auth pipeline is ensure that I am decrypting the JWT with the OpenIdConnect configuration (from my authority servers - Kinde,
/.wellknown/openid-configuration) public signing keys (and that the authority and issuer are correct). I'm using standard .NET libraries for this so the code won't be as relevant on your NodeJS backend but you can probably do something similar. I would imagine that there are some libraries you can use and configure the authority and / or issuer server to, to validate the JWT.
Someone using a tech stack similar to yours will likely have a better answer.