I am integrating custom JWT authentication in MongoDB. I have used the correct JWK URI -
https://{auth_server}/.well-known/jwks.json
But whenever I try to access the api with the JWT provided by Auth0 → API → Test Tab-> cURL command, I am always running into ‘invalid kid’ error. I have verified the kid in JWT and jwks.json are the same. I suspect the kid provided by Auth0 is invalid. Please help in rectifying this issue.
Hi @dan.woda, thanks for responding.
I have GraphQL APIs setup in MongoDB Atlas. In for it’s Authentication, I am setting up Custom JWT Auth using Auth0.
First I created an API in Auth0, with Audience as the GraphQL Endpoint in Atlas.
Then to setup custom JWT auth in Atlas, I provided the JWK URI, and the Audience same as what I setup the Auth0 API with.
When I run the query with a test JWT token, I receive "error": "value of 'kid' has invalid format",
Test JWT - eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IldJeWhoLVlHamY1Z2dFdGdQa1ViUSJ9.eyJpc3MiOiJodHRwczovL2Rldi1mZWNmN3IzeC51cy5hdXRoMC5jb20vIiwic3ViIjoib0V2amFhclYxOHZ6MHQ4WnF5dEdDdUl5SURkTlhQNFJAY2xpZW50cyIsImF1ZCI6Imh0dHBzOi8vdXMtZWFzdC0xLmF3cy5yZWFsbS5tb25nb2RiLmNvbS9hcGkvY2xpZW50L3YyLjAvYXBwL3JlZm95ZXItZGV2LWFwcC1vZGJuZi9ncmFwaHFsLyIsImlhdCI6MTY4MjM2MDYzOCwiZXhwIjoxNjgyNDQ3MDM4LCJhenAiOiJvRXZqYWFyVjE4dnowdDhacXl0R0N1SXlJRGROWFA0UiIsImd0eSI6ImNsaWVudC1jcmVkZW50aWFscyJ9.OJGXrk40hn1-mSI7BP6eO7sXbreEDx50pUEfvx4KZMpoNsIOxxq-fjKoAGN4W-Vca_fIZP4tHDNlHbi4D0iqF7vcELWOdc3YqoFSLF7dn8D_5D2833uuFtxGk4A-TtDG71w5O-16zP_b0XJLexw-xn-LZL1TVMGeRZ44eDsFZ6F2YX6uE6J5584I7siyFMCPzEl5FBrp0F1qDvno9lJ0nwTUBdj8cLYEcoYt6XUfFtm910sQeTO90fbY2JI71nsS4Rw4c0GEOLT1uqnJn63Ui9LmtZQQkjRLiAHfzqpxCBMI2OHggIJz7JjQ9Li1NBvKEHcNTLhxvFvAFKMaN30qUQ
Moreover, If I use SDK to fetch the access token using auth0.getAccessTokenSilently(), I get an invalid token. Here is an example:
eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwiaXNzIjoiaHR0cHM6Ly9kZXYtZmVjZjdyM3gudXMuYXV0aDAuY29tLyJ9…F3kcxBqU1ZupVvkS.mn9CEV1ROINNbhRLprcXhEP3cKg7-Ps8QsNVilhDvx7pdZRFwPvJRDwp9WES3ZnV7LayVBqRzmfdeREXnmfQ7jlZV_vzTn1gjjzA9y_F5WFKyf44GE0RxaANdGOuRRNel-g0wZ8qTF231XslqTb5cxDEmUUZ8qImqjTIXE0voVwDiVG7a9SDkCIRWMTLphNf_nw_7HJHERlkFiq38es7qjFS-PTiPZXGIi-4wiMgz6lx_VejBq22Q9UyOhUWtQSLdqyE0FNTho4micqnrqlMdn7gH1KHRR9iAQbcL9KV8rg4IaWq5Y4oALGM2PJF_MAtz2E.fMvzHE9vvx0tMYapTgmCUQ
Something is really incorrect with how the tokens are being built by Auth0.
Auth0 issues two formats of tokens. JWTs (the first token you listed), and JWEs (the second token you listed). The second token is encrypted and cannot be unencrypted by an API outside of Auth0. The SDK is fetching an encrypted token because you aren’t specifying an audience.
The first token, the JWT, is correctly formed and matches the JWKs for your tenant. I have validated this token, and it works fine. Everything is working normally from Auth0. The API registered for that audience (mongo) should be able to consume that token.
Most likely, something is wrong with how mongo is consuming the token. If I search the error you listed, I can find that mongo doesn’t except tokens with the standard Authentication Bearer header. Have you tried searching the error you provided?
Thanks for looking up the MongoDB issue. So using the header does solve the issue. Also, thanks for pointing that I am missing the audience. So I added the Audience in the config code and the function getAccessTokenSilently does return a valid token that works.