Unable to verify jwt generated by auth0

Hi! I am having trouble with implementing a client-credentials flow used by a webtask script, and would really appreciate some help.

I am able to get an access_token use the cURL command provided in the Quick Start page in my client as such:

curl --request POST \
  --url https://*****.auth0.com/oauth/token \
  --header 'content-type: application/json' \
  --data '{"client_id":"CXG6bVUbm******PqbQOlGdlYx","client_secret":"{AUTH0_CLIENT_SECRET}","audience":"https://cmd-list","grant_type":"client_credentials"}'

Response from above request:

{"access_token":"**************","expires_in":86400,"token_type":"Bearer"}

However, I am unable to verify the returned token using the same {AUTH0_CLIENT_SECRET} - I keep getting Unauthorized: invalid signature. I have tried validating the token with both https://jwt.io/ and my own token validation code:

user = jwt.verify(token, authParams.clientSecret, {
            algorithms: 'HS256'],
            audience: 'https://cmd-list',
            issuer: 'https://*********.auth0.com/'
          }
      );

Context:

  • the jwt library is jsonwebtoken@7.1.9 required in a webtask script.
  • I’m trying to customize the validateToken function in the webtask-tools auth0 library since it assumes audience to be clientId which is not the case.
  • I have also tried using Buffer.from(authParams.clientSecret, 'base64') as the second argument for jwt.verify() - no dice.

Hi @vanessa.yh.yuen,

Access Tokens signed with HS256 need to be validated with the Signing Secret of the API, rather than the client_secret. You can find this in your API settings > Signing Secret. Please try this and let me know if you still face issues.

1 Like

thank you so much! i had been scratching my head for too long!

@prashant I don’t see any “Signing Secret” or similar field in my API settings; do you know why this would be, and/or what I should use for signature validation? The fields I have are:

  • Id
  • Name
  • Identifier
  • Token Expiration
  • Token Expiration for Browser Flows
  • Allow Skipping User Consent
  • Allow Offline Access
  • Signing Algorithm

@prashant I don’t see any “Signing Secret” or similar field in my API settings; do you know why this would be, and/or what I should use for signature validation? The fields I have are:

  • Id
  • Name
  • Identifier
  • Token Expiration
  • Token Expiration for Browser Flows
  • Allow Skipping User Consent
  • Allow Offline Access
  • Signing Algorithm

@estaub2 you won’t see the Signing Secret if your Signing Algorithm is RS256. RS256 signed tokens must be verified using your tenant’s JSON Web Key Set (JWKS). This is located at:

https://YOUR_TENANT.auth0.com/.well-known/jwks.json

More info here: Validate Access Tokens