How to forge an RS256 token with the Signing Key

I am trying to create a token with the signing key. However I get an error about the key and algorithm.

secretOrPrivateKey must be an asymmetric key when using RS256

Is there something obvious I’m doing wrong?

Hey there @kuhrt welcome to the community!

I assume the key you’ve added here comes from your tenant settings? If so, this is not your tenant’s private signing key and thus won’t work in this scenario. What you’re using here is actually a X.509 certificate which is a different format than what is expected (.pem) and includes your tenants public key as well as other certificate values (issuer, validity dates, etc.). In fact, the RS256 signing key is protected and used by Auth0 to sign tokens and not available.

If you would like to sign tokens yourself, you’ll instead need to generate your own RSA key pair using something like openssl. For example, the following will generate the private key:

openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048

And extract the public key from the private key:

openssl rsa -pubout -in private_key.pem -out public_key.pem

Using the private_key.pem as your secret in the code you shared should work.

Hope this helps!

Yep it is.

If we do what you’re saying, how are we going to validate our tokens with the Auth0 JWKS?

These tokens need to be sent to our app and validated with our tenant JWKS.

It sounds like it’s impossible. This is a problem for us.

1 Like

Thanks for confirming!

If you’re signing tokens in this manner then you won’t be able to validate using your tenants JWKS.

Is there a reason you can’t get tokens from Auth0? This is the typical approach. You will then be able to validate them using your tenants JWKS.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.