Auth0 Home Blog Docs

JWK Certificate thumbprint is invalid

jwt
jwks
certificate

#1

Hi,

When a JWK set is fetched from https://<your-auth0-domain>.auth0.com/.well-known/jwks.json , the x5t field in the response has an invalid thumbprint. It should be 20 bytes, but it is longer.

There was already an issue opened (1), but closed without resolution. This is a bug in Auth0, as per https://tools.ietf.org/html/rfc7517#section-4.8 .

The “x5t” (X.509 certificate SHA-1 thumbprint) parameter is base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate [RFC5280].

As far as I understand, in Auth0 it is base64 encoding of hex-encoding of the SHA-1 thumbprint, which is incorrect.

Because of this third-party libraries don’t work well with Auth0. This bug also prevents other products from integrating well with Auth0 (2).

Would appreciate if there is proper discussion around this (and not abrupt closing) and resolution.

PS: See also https://github.com/frasertweedale/hs-jose/issues/54


(1): Certificate thumbprint is longer than 20 bytes
(2): https://docs.hasura.io/1.0/graphql/manual/auth/jwt.html#auth0