2

I'm using Auth0 and parsing its idToken server-side like this:

    var tokenHandler = new JwtSecurityTokenHandler();
    var jwtToken = tokenHandler.ReadJwtToken(idToken); // idToken comes from client using auth0.js
    var sub = jwtToken.Claims.First(claim => claim.Type == "sub").Value;

The above code works well and I'm able to parse the idToken successfully, but I'd like to validate the idToken before trusting it, so I've tried this:

        string clientSecret = "{client_secret}"; // comes from Auth0 application's client secret
        var validations = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateIssuerSigningKey = true,
            ValidIssuer = "some value", // used "iss" from here: https://jwt.io/
            ValidAudience = "some value", // used "aud" from here: https://jwt.io/
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(clientSecret)),
        };

        var principal = tokenHandler.ValidateToken(idToken, validations, out var validatedToken);

When trying to validate the token, it results in this exception:

Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException
  HResult=0x80131500
  Message=IDX10501: Signature validation failed. Unable to match key: 
kid: '[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'

I grabbed the issuer and audience values by parsing one of the tokens here: https://jwt.io/. The client secret is my application's client secret at Auth0.

How can I validate Auth0's idToken using JwtSecurityTokenHandler?

Improve this question
5
  • 1
    Interesting article here jerriepelser.com/blog/manually-validating-rs256-jwt-dotnet Commented Mar 20, 2020 at 0:05
  • @Nkosi that's exactly what I was looking for. Can you post that link as an answer? I'll mark it as the correct one. Thanks! Commented Mar 20, 2020 at 14:44
  • 1
    I would suggest add what you got to work as a self answer and reference the article to help others who may have this problem in the future. Commented Mar 20, 2020 at 15:03
  • @JohnnyOshika - would be happy if you can update how you resolved this As I understand it, you should find a way to set the "issuerSigningKey" of Auth0 and then "ValidateIssuerSigningKey" should work Commented May 21, 2021 at 11:11
  • @TGN12 See my answer below... Commented May 21, 2021 at 19:07

1 Answer 1

Reset to default
2

To manually validate Auth0's JWT token, you need these 2 Nuget packages:

System.IdentityModel.Tokens.Jwt
Microsoft.IdentityModel.Protocols.OpenIdConnect

Then get these values from Auth0's application settings

string auth0Domain = ""; // Note: if your Domain is foo.auth0.com, this needs to be https://foo.auth0.com/
string auth0ClientId = "";

Validate Auth0's token as follows:

IConfigurationManager<OpenIdConnectConfiguration> configurationManager = new ConfigurationManager<OpenIdConnectConfiguration>($"{auth0Domain}.well-known/openid-configuration", new OpenIdConnectConfigurationRetriever());
OpenIdConnectConfiguration openIdConfig = await configurationManager.GetConfigurationAsync(CancellationToken.None);

var validations = new TokenValidationParameters
{
    ValidIssuer = auth0Domain,
    ValidAudiences = new[] { auth0ClientId },
    IssuerSigningKeys = openIdConfig.SigningKeys
};

var user = tokenHandler.ValidateToken(idToken, validations, out var validatedToken);

With the validated token, you can extract useful info like this:

var securityToken = (JwtSecurityToken)validatedToken;
var userId = user.Claims.First(c => c.Type == ClaimTypes.NameIdentifier).Value;

Source: Manually validating a JWT using .NET

Credit: @Nkosi

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Why do it manually and not use "ValidateIssuerSigningKey" ?
This is dating back a year, but I think it was because I couldn't get ValidateIssuerSigningKey to work. See my original question above.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.