How does signing a token work? (Invalid Signature Error)

Background: I’m running integration tests inside a .NET Core Web API that uses Auth0 to authorize on my endpoints. My tokens coming back from Auth0 contain an “invalid signature” when I paste them into the JWT.io verifier.

I’m having some trouble understanding at which point in my Authorization flow that my token is being signed, who signs it, and how it is signed.

I started a new development API in Auth0 (“My Dev API”) that uses HS256 Signing Algo to sign my tokens. As I understand it, with HS256, there is one secret key that is used sign tokens (the signing secret), and the Machine to Machine flow looks like this:

  1. I post some credentials to Auth0, like this:
    clientID: exampleID
    clientSecret: exampleSecret
    audience: https://myaudience.com
    grant_type: client_credentials

  2. Auth0 sends me back an access token:
    access_token: exampleToken1234

When I paste this token into JWT.io, I am told that the token has an invalid signature.

  1. In my .NET application, I have some setup does some kind of configuration:

       static void AddAuthentication(IServiceCollection services)
           {
               services.AddAuthentication(options =>
               {
                   options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                   options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        }).AddJwtBearer(options =>
            {
                  options.TokenValidationParameters = new TokenValidationParameters
             {
                   ValidIssuer = auth0Config.Domain,
                   ValidAudience = auth0Config.Audience,
                   IssuerSigningKey = new 
                            SymmetricSecurityKey(Encoding.UTF8.GetBytes(auth0Config.SigningSecret))
             };
         });
     }
    

Can anyone explain if I’m supposed to add code to sign this token, if it arrives already signed (and if so, why is JWT.io telling me there’s an invalid signature) and what the config above is actually doing?

Also, is it necessary to create a standalone Dev API or can I send autho requests to the pre-built management-api?

Thanks in advance!

Hi @sethnejame,

See the docs here:

That should get you started. All tokens are signed.

John