Verify JWT token received from auth0

I want to verify the JWT token returned by auth0 in server side using Java. For that i am using auth0 java-jwt library. This is the example code they are providing.

RSAPublicKey publicKey = null; //Get the key instance
		RSAPrivateKey privateKey = null; //Get the key instance

		try {
			Algorithm algorithm = Algorithm.RSA256(publicKey, privateKey);
			JWTVerifier verifier = JWT.require(algorithm)
					.withIssuer("auth0")
					.build(); //Reusable verifier instance
			DecodedJWT jwt = verifier.verify(token);
			
			System.out.println(jwt.getPayload());
			
		} catch (JWTVerificationException exception){
			//Invalid signature/claims
		}

I got the public key from URL, https://.auth0.com/dbconnections/pem
How do i set this in code? Also from where i can get the private key?

Auth0 does not provide the private key, but you won’t need it for validation. Simply leave the privateKey parameter as null.

Take a look here for an example of creating the PublicKey instance from a file.

2 Likes

Tried it, issue while generating the public key.

This is the exception i am getting
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException: ObjectIdentifier() – data isn’t an object ID (tag = -96)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:205)
at java.security.KeyFactory.generatePublic(KeyFactory.java:334)
at com.ceino.supportapp.test.JWTClass.getPublicKey(JWTClass.java:93)
at com.ceino.supportapp.test.JWTClass.readPublicKeyFromFile(JWTClass.java:106)
at com.ceino.supportapp.test.JWTClass.main(JWTClass.java:35)
Caused by: java.security.InvalidKeyException: IOException: ObjectIdentifier() – data isn’t an object ID (tag = -96)
at sun.security.x509.X509Key.decode(X509Key.java:397)
at sun.security.x509.X509Key.decode(X509Key.java:402)
at sun.security.rsa.RSAPublicKeyImpl.(RSAPublicKeyImpl.java:86)
at sun.security.rsa.RSAKeyFactory.generatePublic(RSAKeyFactory.java:298)
at sun.security.rsa.RSAKeyFactory.engineGeneratePublic(RSAKeyFactory.java:201)
… 4 more

1 Like

You could also use jwks-rsa-java library to retrieve public key at run time. Here is a complete sample. You need to get accessToken JWT from the request and add your own tenant url to make it work

    public static void main( String[] args )
    {
    	String token = "YOUR_JWT_TOKEN";
    	JwkProvider provider = new UrlJwkProvider("https://YOUR_TENANT.auth0.com/"); 
    	try {
    		DecodedJWT jwt = JWT.decode(token);
    		// Get the kid from received JWT token
			Jwk jwk = provider.get(jwt.getKeyId());
			
			
    	    Algorithm algorithm = Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
    	    
    	    
    	    JWTVerifier verifier = JWT.require(algorithm)
    	        .withIssuer("https://YOUR_TENANT.auth0.com/")
    	        .build();
    	    
    	    jwt = verifier.verify(token);
    	
    	} catch (JWTVerificationException e){
    	    //Invalid signature/claims
			e.printStackTrace();
    	} catch (JwkException e) {
			// invalid JWT token
			e.printStackTrace();
		}
    }

Note: You should also consider caching of public key so you are not calling the JWKS endpoint for every single time you are verifying the JWT.

Here is a working sample if you prefer simply downloading and running it yourself GitHub - ashishdasnurkar/javajwtsample: Simple sample to demo JWT Verification

Make sure though you are also performing further checks such as permissions, standard claims etc. Code above only does JWT format check and signature check. Reference here Validate Access Tokens

4 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.