JWT - Issue creating token with X509 Private Key

Hi,
I’m creating a JWT using X509certificate. Am using the private key within the pfx certificate to sign the token and the algorithm used is RS256. Am able to create the token, validate it in the JWT.io debugger and get the result as “Signature Verified” when providing the public and private keys.

However when the JWT is sent to a token endpoint using Postman, I keep receiving an error “401 - Unauthorized” and the message “Invalid_Client”. Tried with a new valid client-id, still the same issue mentioned above. The endpoint has the public certificate already installed.

The code is written in .NET core and the snippet is below. Is there anything missing here? Any help on this is greatly appreciated.

            string certificateLocation = @"Z:\Files\Private.pfx";
            string certificatePassword = "####";
            var colln = new X509Certificate2collection();
            colln.Import(certificateLocation, certificatePassword, X509KeyStorageFlags.PersistKeySet);
            var certificate = colln[0];
            var privateKey = certificate.GetRSAPrivateKey();
            var privateSecurityKey = new RsaSecurityKey(privateKey);

        // Payload and signing credentials
        var descriptor = new SecurityTokenDescriptor
        {
            Issuer = "ClientId",
            Audience = "aud",
            Expires = DateTime.UtcNow.AddMinutes(10),
            Subject = new ClaimsIdentity(new List<Claim> { new Claim("sub", "Username") }),
            SigningCredentials = new SigningCredentials(privateSecurityKey, SecurityAlgorithms.RsaSha256)
        };

        var tokenHandler = new JsonWebTokenHandler();         
        string jwtValue = tokenHandler.CreateToken(descriptor);

Hi @creative_coder,

I am confused: why are you creating a JWT? Auth0 creates the JWTs for you.

John

Hi all,
I am also working on a similar situation where I am using Private Key JWT authentication (described in the docs here). I created a M2M app in Auth0, uploaded my certificate public key, and granted permissions/scopes for the app to call the Management API. Then I built a JWT using SDKs from Auth0, signed it with my private key, verified the encoded JWTs signature with Auth0’s debugger, and POSTed it to the token endpoint. I am getting the same “401 - Invalid_Client” error with description “Unauthorized”.

Here is the general format of the post request/ JWT.
JWT-
alg: RS256, typ: JWT, sub: Client_Id, aud: https://{tenant}.us.auth0.com/api/v2/ , iss: Client_Id,
exp: now + a couple of minutes, iat: now, jti: random uuid
POST-
location: https://{tenant}/oauth/token, Content-Type: application/x-www-form-urlencoded, grant_type=client_credentials, client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer, client_assertion=encoded and validated JWT, audience=https://{tenant}.us.auth0.com/api/v2/

Is there any update on what might be the cause of this error? (Even to know what area of my authentication attempt is wrong would be helpful to narrow down my search!)

To @john.gateley 's question, I’m pretty sure that we are supposed to be creating one JWT to send to the token endpoint as our part of the authentication process, and then Auth0 (as the Identity Provider) sends back a different JWT that has our access token (assuming we successfully authenticated).

Cheers,
Graham

If it makes a difference, I am on a trial subscription of Auth0, which does say it allows me to use Private Key JWT until the trial ends. But maybe my tests are still getting this Unauthorized error because I don’t have the full-fledged paid subscription. Is there some setting difference between the trial version of Private Key JWT and the paid version that would cause my token requests to fail?