JWT Signing Using RSA Private Key

Knowledge Solutions
, , , , ,
1

Problem statement

Two questions concerning the configuration of our application, with respect to the use of Private Key JWT for use as the client authentication method.

  1. Is it possible to pass an RSA private key as a secret to the jsonwebtoken sign() method instead of configuring it through the Credentials tab under application settings?

  2. Application Settings for a particular app does not seem to have a Credentials option where the private key can be uploaded. Why is this option missing from the dashboard screen?

Solution

To select a Private Key JWT as a configuration option, follow the steps below.

NOTE: This feature is available only to customers with an Enterprise or above subscription.

On the Credentials tab under the Applications Settings:

  1. From the left-hand menu of the Dashboard, navigate to Applications > {application-name}, then click on the Credentials option.
  2. A screen will appear, showing two major configuration options. Choose the lower Available Credentials option and click the Add New Credential Button.

image
image1358×1160 66.5 KB

These are the steps to add a Private Key JWT for use as the client authentication method.

  1. Choose a name for the new credential
  2. Upload a PEM-formatted public key or certificate
  3. Choose an algorithm ( by default this is RS256 )
  4. Set an expiration date
  5. Click on the Add Credential button
  6. The new credential should now be displayed in the Available Credentials section.

Additional Notes:

  • It is not possible to pass an RSA private key as a secret to jsonwebtoken sign() method instead of configuring it through the Credentials tab under application settings. The private key should be maintained on the backend server that performs the call, as discussed in the documentation Key JWT**: An asymmetric authentication method for confidential applications. In Private Key JWT, you generate a pair of keys, public and private, to use as credentials. You provide the public key and securely store the private key in your own system without sharing it with Auth0. You use the private key to sign the request sent to the authorization server. It is only necessary to share the public key, which can be found under the Credentials tab of the Application settings.

  • The private key solution is intended for regular web apps and API servers that have a backend to store the private key to perform the API calls.

This option will not be displayed if the application is one of these types.

  • SPA
  • native mobile
  • desktop applications

This is because these are considered non-secure types of clients, as the end users can access the code. Consequently, it is not possible to store the private key securely.

Related References