Certificate thumbprint is longer than 20 bytes

The library I’m trying to use is not able to decode JWK key because x5t field value is longer than 20 bytes.
This is what I get from .well-known/jwks.json "x5t":"RTBFQjE3MEU0QjQ2M0FCNkYxRTEwMUIwNTJFOUY1NDgyMjgzRTI1NQ"
When decoded the value is E0EB170E4B463AB6F1E101B052E9F5482283E255 which is a 40 byte hex value.
I assume when decoded into binary it will become 20 bytes.
As library author pointed out according to the standard the value should be 20 bytes unencoded and not a hex string:
4.8. "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter The "x5t" (X.509 certificate SHA-1 thumbprint) parameter is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280].
Here is the link to the discussion: Can't decode JWKSet if thumbprint is not 20 bytes (incorrect number of bytes) · Issue #54 · frasertweedale/hs-jose · GitHub Is it just a different interpretation of the standard or Auth0 doesn’t comply with it?


Just wanted to let you know we are reviewing this; at first glance, this may indeed be an issue, but I’ll keep you posted when I have more concrete information.

I am running into this problem as well. Would love to know what the status of this is.

@jmangelo Is there any progress on this issue? I’m running into this issue now as well.

Nothing useful; the situation was reported and is being tracked in the backlog but there’s nothing concrete to share I’m afraid. I will relay that the problem has been also experienced by additional users and not just the OP.

Sorry for missing this comment; I have to confess that at that time I was offline and when I got back online did not have the possibility to go through all the notifications.

I ended up writing code to decode the base64 and hex encodings and reencode the field correctly so that my library could consume it. It really does seem that auth0 does not fit the spec.

The “x5t” (X.509 certificate SHA-1 thumbprint) parameter is base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280].

“x5t” is not supposed to be a base64url-encoded of the hex encoding of the SHA-1 thumbprint of the DER encoding of the x.509 certificate. auth0 incorrectly adds a hex encoding in the middle

1 Like

I kind of don’t appreciate that I have to write a hack to get my JWT library to work with auth0.


Hi all,

I posted in another thread that we have a fix for this now:

1 Like

Thanks a lot for that @matt.macadam!