Overview
This article will describe how to get an access token with a Private Key JSON Web Token (JWT).
Applies To
- Private Key JSON Web Token (JWT)
Solution
- Generate RSA Key Pair
- In the Auth0 Dashboard’s app, add the public PEM key as a credential for Private Key JWT. See Configure Private Key JWT Authentication for detailed steps.
- Using jwt.io (for testing purposes, do not use this for production), create a JWT with the following values, replacing anything in <> with the correct value:
//header
{
"alg": "RS256",
"typ": "JWT",
"kid": "<KEY_ID>"
}
//payload
{
"sub": "<CLIENT_ID>",
"jti": "<RANDOMLY_GENERATED_UUID>",
"iss": "<CLIENT_ID>",
"aud": "<TENANT_DOMAIN>/oauth/token",
"exp": <EXP_VALUE>
}
//signature - public key & private key from step 1
//public key
-----BEGIN PUBLIC KEY-----
<PUBLIC KEY>
-----END PUBLIC KEY-----
//private key
-----BEGIN PRIVATE KEY-----
<PRIVATE KEY>
-----END PRIVATE KEY-----
kid- The KeyID Auth0 creates when the public key is added to the application’s credential settings.subandiss- the app’s client ID.jti- A random UUID.exp- The epoch/unix timestamp of when it will expire - has to be less than 5 minutes.aud-domain + /oauth/token.
- Then use the JWT in this CURL request to receive an access token:
curl --location --request POST 'https://<TENANT_DOMAIN>/oauth/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=YOUR_JWT’ \
--data-urlencode 'audience=https://<TENANT_DOMAIN>/api/v2/'