We use an Auth0 account. I paste an Auth0-generated token into https://jwt.io/#debugger . It shows me the header and payload but for the VERIFY SIGNATURE section it asks me to paste in a public RSA key or certificate or a private RSA key in order to verify the signature. I can see I have a secret for each client we’ve registered in Auth0. But where I can find, or how can I create, an RSA key or certificate?
If the token in question is signed with RS256 then you can quickly obtain the public key to use for validation by downloading it from
https://[your_domain].auth0.com/pem. Have in mind this is just a quick shortcut to get to the key and be able to validate tokens in jwt.io. For applications and resource servers that need to validate JWT’s that they receive they should obtain the keys from
https://[your_domain].auth0.com/.well-known/jwks.json as the response to that endpoint follows a certain schema that is already supported in many libraries.
Perfect, thank you.
Thanks for the answer @jmangelo . One more thing, does this pair of public and private changes over time? If we just fetch the public key once and store it in the server and use that to decode the token, is it ok to do that?
At this time, there is no automatic process that will change it (not a big thing, as the certificate as a long expiration). There are some situation where it can change manually, but those would also be done with you in the loop. Having said that, for the purpose of validating JWT’s, application should use the above JWKs endpoint, cache the result until they receive a JWT with a
kid not in the cached response at which time they could obtain keys again to see if there’s a new one. This way is future proof.