How to get PUBLIC KEY PEM from jwks.json

dch · March 31, 2021, 9:58am

Our backend application requires the public cert of the signing key, in PEM format.

The jwks.json url at https://domainauth0.com/.well-known/jwks.json spits back:

{
  "keys": [
    {
      "alg": "RS256",
      "kty": "RSA",
      "use": "sig",
      "n": "...",
      "e": "....",
      "kid": "...",
      "x5t": "...",
      "x5c": ["...="
      ]
    },
...

The x5c array looks almost right, but it’s clearly not the right format for our application, which expects:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQE...
BAQUAA4GNADCBiQKBg...
QDdlatRjRjogo3WojgGH....
-----END PUBLIC KEY-----

What’s the simplest way to get this public cert? Is it related to the Signing Certificate available in the advanced section of the auth0 tenant application?

dan.woda · March 31, 2021, 3:10pm

Hi @dch,

Welcome to the Community!

You can quickly get the PEM formatted public ~~key~~ cert from the /pem endpoint.

For example:

https://my-auth0-domain.com/pem

dch · March 31, 2021, 3:20pm

I tried this earlier, and it’s not sufficient. It returns this format:

-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIJIuh42TrceKqdMA0GCSqGSIb3DQEBCwUAMCQxI...

Which looks like CRT to me, not PEM, I’m no expert here.

However this worked:

$ curl -s https://:domain.auth0.com/pem | openssl x509 -pubkey -noout

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsIhk...

Can you shed any light on why these 2 formats are different?

thanks Dan!

dan.woda · March 31, 2021, 3:51pm

It looks like the cert you get from the /pem endpoint is a public certificate that contains other information in addition to the public key. If you decode it, you can see other information.

The result from your openSSL command extracts the public key from the original cert.

My original response said you could get the PEM formatted public key from the /pem endpoint, which is not exactly correct. It looks like you get a PEM formatted cert that contains the public key. I’ll edit it.

dch · March 31, 2021, 3:54pm

thanks Dan! It would be excellent to have an easily fetchable endpoint that provides the cert. This way https://:domain.auth0.com/.well-known/jwks.json or similar would allow us to always have the up to date keys even in the event of key rotation. Great for automated devops.

dan.woda · March 31, 2021, 3:57pm

You should be using the JWKS endpoint to do that.

dch · March 31, 2021, 4:01pm

It was in fact the first thing I tried. How does one go from seeing this and being largely confused:

{
  "keys": [
    {
      "alg": "RS256",
      "kty": "RSA",
      "use": "sig",
      "n": "...",
      "e": "...,
      "kid": "...",
      "x5t": "...",
      "x5c": [
        "MIIDDTCCA...

To knowing aah yeah MIIDDTCCA I recognise that. Clear as mud, that’s obviously the contents of a CRT encoded cert and I’ll just whip out openssl to translate that into the public key I actually need?

And is it, in fact, that pub-key I need? I’m still not clear on that?

dan.woda · March 31, 2021, 4:15pm

What framework/language are you using? There are libraries that handle all of this for you, you shouldn’t have to manually set anything unless you are wanting to or have a very specific use-case. Most of our SDKs allow you to set a domain and will retrieve your public key automatically.

dch · March 31, 2021, 4:19pm

Elixir with UeberAuth plugin GitHub - achedeuzot/ueberauth_auth0: Auth0 OAuth2 strategy for Überauth. to do the “oauth dance”
using the provided token to as HTTP Authorization Bearer token to Apache CouchDB 1.2.23. Authentication — Apache CouchDB® 3.3 Documentation

dan.woda · March 31, 2021, 4:41pm

Thanks. So you want to verify JWTs directly in your CouchDB? That is where you need the PEM formatted public key?

dch · March 31, 2021, 4:41pm

Yep. I have this working, but only with the ---- BEGIN PUBLIC KEY ---- style format.

system · April 15, 2021, 4:42pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.