I am using java with maven packages
jwks-rsa 0.9.0
java-jwt 3.8.3
jave Eclipse
execution environment javaSE-1.8(jdk1.8.0_111)
My organization has Auth0 services implemented on different environments from Liberty server to IBM Websphere. Each is on its own server. Recently, when attempting to verify our tokens via a method (listed below), we are getting the below error on all environments. We have added our certificates (months ago), and when attempting to add them now it says they already exist, so I’m sure that the certificates have been added. Has Auth0 recently changed its policies on certificates? We are not using SSL and the below error is even happening on local host. Below the error is the method that is throwing the exception called “IsValidToken()”.
The error occurs on the line
Jwk jwk = provider.get(kid);
Error: Cannot obtain jwks from url https://dev-q7dj12vg.auth0.com/.well-known/jwks.json.
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
public static String IsValidToken(String token) throws Exception
{
boolean isValid = false;
try
{
//deconstruct the token to get the indivisual parts.
DecodedJWT jwt = JWT.decode(StripBearerFromToken(token));
//set the KeyID
String kid = jwt.getKeyId();
//get the provider from the issuer field
JwkProvider provider = new UrlJwkProvider(jwt.getIssuer());
Jwk jwk = provider.get(kid);
//creaste a public key using the publicKey
RSAPublicKey publicKey = (RSAPublicKey) jwk.getPublicKey();
//create an algorithm from the public key.
Algorithm algorithm = Algorithm.RSA256(publicKey, null);
//Create a verifier to check the integrity of the token
JWTVerifier verifier = JWT.require(algorithm)
.withIssuer(jwt.getIssuer())
.build();
//if the token is good it will return an object of type DecodedJWT.
DecodedJWT jwkD = verifier.verify(StripBearerFromToken(token));
if(jwkD != null)
{
return "";
}else
{
throw new Exception("Error: Token is invalid. Returned Null from verifier.");
}
}
catch(JWTVerificationException exception)
{
//if an error occures return the error.
return "Error: " + exception.getMessage();
}
}