Jason Swett Jason Swett - 13 days ago 5
Ruby Question

Having trouble decoding an Auth0 token

I have a JWT that Auth0 provided me when I authenticated via Lock in an Angular application.

I copied and pasted this token into a Ruby variable called

token
.

Here's what I get on the Rails console when I try to decode the token:

> JWT.decode token, nil, false
=> [{"iss"=>"https://benfranklinlabs.auth0.com/", "sub"=>"auth0|58306f91c08814e01015f434", "aud"=>"8NWWMzcPNXEvxogqwRar18hJuYAvsrG0", "exp"=>1479766470, "iat"=>1479730470}, {"typ"=>"JWT", "alg"=>"HS256"}]


This is fine, except I thought the decoding process was supposed to require my Auth0 client's Client Secret. I'm using Knock with my Rails application which tries to decode the token like this:

JWT.decode token, decode_key, true, options.merge(verify_options)


And
decode_key
is equal to this:

JWT.base64url_decode Rails.application.secrets.auth0_client_secret


And this attempt fails. I get the following error:


*** JWT::VerificationError Exception: Signature verification raised


I guess this makes sense. If I can decode the token just fine without using a key, then I imagine my token must not have been created with my Auth0 Client Secret factored in. I don't know this for a fact, though.

So my question is this: Knock seems to need to decode the token using my Auth0 Client Secret, but decoding the token using my Client Secret doesn't work. How can I get it to work?

Edit:

Here's my token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2JlbmZyYW5rbGlubGFicy5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NTgzMDZmOTFjMDg4MTRlMDEwMTVmNDM0IiwiYXVkIjoiajNKdHpjYnNpTUkyR0JkRnZGb3FFTjM4cUtTVmI2Q0UiLCJleHAiOjE0Nzk3NzE4ODMsImlhdCI6MTQ3OTczNTg4M30.MuUbdC7TLBcteKCry-sioeZVStI9TZ6TdsP5WG_6K08


Here's my Client ID:
j3JtzcbsiMI2GBdFvFoqEN38qKSVb6CE


Here's my Client Secret:
development_secret

Answer

Auth0 recently (not exactly true, the change described next will only be in effect at December 6th 2016) switched the way client applications secrets are generated and encoded. Originally, the client secret would be generated and displayed as a Base64url encoded string, which meant you had to decode it before using it.

For newly created applications or for applications explicitly updated to no longer use the Base64url encoded mode, the client secret that is shown on Auth0 Dashboard is no longer Base64 encoded and as such you should not try to decode it before using it.


Using the provided sample token and secret, if you follow these steps:

  1. Access jwt.io
  2. Paste your token
  3. Update the verify signature section to include your development_secret and check the option that the secret is base64 encode

then the signature is verified correctly. This means that the token generation is correct and the issue lies in how we are validating it in Ruby. You need to check if the Rails API for validation assumes any encoding and pass the secret in the expected format.


Note from OP: what ultimately fixed it for me was to manually base64 encode a string (JWT.base64url_encode 'my_arbitrary_string') and paste the resulting value into Client Secret in my Auth0 settings.

Comments