I’m evaluating if I can migrate my service to use auth0 for authentication. Right now I’m stuck at letting my API validate the access tokens. It fails with: “The Token’s Signature resulted invalid when verified using the Algorithm: SHA256withRSA”
I hope I write down all the relevant clues here:
Settings
I have one app with the auth domain: myapp.eu.auth0.com (uses RS256, haven’t changed advanced settings)
I have one custom api with the domain: api.mydomain.com (uses RS256 and can’t be changed)
Login
I use the auth0 lock with relevant config:
new Auth0Lock(
‘the app client id’,
‘the app domain’,
{
auth: {
responseType: ‘token id_token’,
params: {
scope: ‘openid’
},
audience: ‘the api domain’
}
}
)
I get two JTW’s that can be viewed on jwt.io.
Verify
Backend is written in Scala so I use the java libs:
“com.auth0” % “java-jwt” % “3.4.1”,
“com.auth0” % “jwks-rsa” % “0.6.1”,
val token = "valid jwt"
val provider = new JwkProviderBuilder("https://myapp.eu.auth0.com/.well-known/jwks.json")
.cached(10, 24, TimeUnit.HOURS)
.rateLimited(50, 1, TimeUnit.MINUTES)
.build()
val jwt = JWT.decode(token)
val jwk = provider.get(jwt.getKeyId)
val algo = Algorithm.RSA256(jwk.getPublicKey.asInstanceOf[RSAKey])
algo.verify(jwt) // throws SignatureVerificationException
Can anyone spot the error? I’m not sure if the private key is supposed to be used somehow, but from what I could tell it’s only used when signing new tokens?
Long story short: One of my unit tests were designed to fail the verification. I mistook that error for the error that made my valid token fail, leading me down the wrong path.