Auth0 Home Blog Docs

Invalid certificate from jwks for signing JWT



So this is for the situation where there is a change to the contents of the access_token (eg. user updating name) which means i need to generate a new JWT access_token.

  • I have all the data for the new JWT
  • I need to sign the new JWT with the certificate as the secret
  • The way i get the certificate is by calling jwksRsaClient.getSigningKey which needs the kid
  • the only way i can think of getting the kid is from the current token, so i decode the current JWT
  • I retrieve the certificate back from jwksRsaClient.getSigningKey
  • Use it to sign the token with jwt.sign(data, certificate, {algorithm: 'RS256'})

I get an error: error:0906D06C:PEM routines:PEM_read_bio:no start line
When checking the certificate’s validity against openssl, it turns out the certificate is invalid.

Any help would be great


I’m likely missing something, but if you’re using the Auth0 service as an identity provider/authorization server (aka token issuer) then in general the only entity that should be signing tokens is the service itself. In some situations (hint HS256) you may have the technical ability to sign tokens due to having the shared secret, but for RS256 this is more than just a theoretical guideline because you don’t even have access to the private key; only the matching public key is provided so you can validate issued tokens, but you can’t sign new one.