Auth0 Home Blog Docs

Create JWT using RS256 with jwt.sign

jwt
rs256

#1

I need to create a JWT using RS256 in one of my rules. For whatever reason my .net core web API won’t take a JWT signed with HS256… Is this possible inside of a rule? I assume it has to be since using RS256 algorithm is recommended for JWTs


#2

The easiest way for you to accomplish that is by performing a client credentials grant from the rule itself. You would represent the API within Auth0 and configure it so that RS256 tokens are issued to it, then you would authorize a suitable client application to perform a client credentials grant.

Finally, you could then do the following from a rule:

function (user, context, callback) {
  var request = require("request");

  var options = { method: 'POST',
    url: 'https://[your_account].auth0.com/oauth/token',
    headers: { 'content-type': 'application/json' },
    body: 
    {
      grant_type: 'client_credentials',
      client_id: '[your_cc_client_id]',
      client_secret: '[your_cc_client_secret]',
      audience: '[your_api_identifier]',
    },
    json: true };

  request(options, function (error, response, body) {
    if (error) return callback(error);

    // Call API with body.access_token...
        
    callback(null, user, context);
  });
}

#3

hi @jmangelo,

I’ll give this a try shortly and if it works i’ll accept your answer :).

Thanks!


#4

hi @jmangelo,

I’ll give this a try shortly and if it works i’ll accept your answer :).

Thanks!


#5

Is there another method of producing RS256 tokens which are signed by Auth0 within a rule?
The problem with the above is that it (1) sets the audience to the API rather than the clientID and (2) does not allow any private claims to be declared.


#6

Is there another method of producing RS256 tokens which are signed by Auth0 within a rule?
The problem with the above is that it (1) sets the audience to the API rather than the clientID and (2) does not allow any private claims to be declared.


#7

The signing with the same certificate by Auth0 would imply access to the private key from the rule and that is something that is not available.


#8

Hi, I’m also still looking into a way to use RS256 encoding with a certificate, did you find a way ?


#9