Auth0 Home Blog Docs

Verify JWT token received from auth0

I want to verify the JWT token returned by auth0 in server side using Java. For that i am using auth0 java-jwt library. This is the example code they are providing.

RSAPublicKey publicKey = null; //Get the key instance
		RSAPrivateKey privateKey = null; //Get the key instance

		try {
			Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
			JWTVerifier verifier = JWT.require(algorithm)
					.withIssuer("auth0")
					.build(); //Reusable verifier instance
			DecodedJWT jwt = verifier.verify(token);
			
			System.out.println(jwt.getPayload());
			
		} catch (JWTVerificationException exception){
			//Invalid signature/claims
		}

I got the public key from URL, https://.auth0.com/dbconnections/pem
How do i set this in code? Also from where i can get the private key?

Auth0 does not provide the private key, but you won’t need it for validation. Simply leave the privateKey parameter as null.

Take a look here for an example of creating the PublicKey instance from a file.

1 Like

Tried it, issue while generating the public key.

This is the exception i am getting
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: ObjectIdentifier() – data isn’t an object ID (tag = -96)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
at com.ceino.supportapp.test.JWTClass.getPublicKey(JWTClass.java:93)
at com.ceino.supportapp.test.JWTClass.readPublicKeyFromFile(JWTClass.java:106)
at com.ceino.supportapp.test.JWTClass.main(JWTClass.java:35)
Caused by: java.security.InvalidKeyException: IOException: ObjectIdentifier() – data isn’t an object ID (tag = -96)
at sun.security.x509.X509Key.decode(X509Key.java:397)
at sun.security.x509.X509Key.decode(X509Key.java:402)
at sun.security.rsa.RSAPublicKeyImpl.(RSAPublicKeyImpl.java:86)
at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
… 4 more

1 Like

You could also use jwks-rsa-java library to retrieve public key at run time. Here is a complete sample. You need to get accessToken JWT from the request and add your own tenant url to make it work

    public static void main( String[] args )
    {
    	String token = "YOUR_JWT_TOKEN";
    	JwkProvider provider = new UrlJwkProvider("https://YOUR_TENANT.auth0.com/"); 
    	try {
    		DecodedJWT jwt = JWT.decode(token);
    		// Get the kid from received JWT token
			Jwk jwk = provider.get(jwt.getKeyId());
			
			
    	    Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
    	    
    	    
    	    JWTVerifier verifier = JWT.require(algorithm)
    	        .withIssuer("https://YOUR_TENANT.auth0.com/")
    	        .build();
    	    
    	    jwt = verifier.verify(token);
    	
    	} catch (JWTVerificationException e){
    	    //Invalid signature/claims
			e.printStackTrace();
    	} catch (JwkException e) {
			// invalid JWT token
			e.printStackTrace();
		}
    }

Note: You should also consider caching of public key so you are not calling the JWKS endpoint for every single time you are verifying the JWT.

Here is a working sample if you prefer simply downloading and running it yourself https://github.com/ashishdasnurkar/javajwtsample

Make sure though you are also performing further checks such as permissions, standard claims etc. Code above only does JWT format check and signature check. Reference here https://auth0.com/docs/tokens/guides/access-token/validate-access-token

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.