Auth0 App Registration - JWT Generation & Validation with Public Key

Summary

Auth0 is a comprehensive identity management platform that offers robust solutions for authentication, authorization, and user management in applications. One key aspect of using Auth0 is the process of app registration, JWT (JSON Web Token) generation, and validation by a public key, along with understanding access tokens.

App Registration and JWT Generation

App registration with Auth0 involves creating an application within the Auth0 dashboard, where developers can configure various settings such as allowed callback URLs, allowed origins, and application type (such as regular web app or single-page application). Once registered, the application is provided with unique credentials to interact securely with Auth0 services.

JWT generation is central to Auth0's authentication mechanism. When a user successfully authenticates, Auth0 generates a JWT containing information about the user and the authentication event. This token is signed using a private key held by Auth0, ensuring its authenticity.

To validate JWTs, applications typically retrieve Auth0's public key from a well-known endpoint provided by Auth0. This public key is then used to verify the signature of incoming JWTs, ensuring that they were indeed issued by Auth0 and haven't been tampered with.

Access Tokens and Public Key Validation

Access tokens are another important concept in Auth0's ecosystem. Once a user is authenticated, Auth0 issues an access token that contains specific permissions and scopes granted to the user. These tokens are then used to access protected resources within the application or API, with the server validating them to ensure the user has the necessary permissions.

In summary, the process of app registration, JWT generation, and validation by public key, along with the understanding of access tokens, form the core components of integrating Auth0's authentication and authorization services into applications, providing developers with a secure and reliable identity management solution.

Sign Up into the Auth0 by following the link Auth0 Sign Up.

After completing the sign-up process, follow the following steps.

Create your App on the portal

Copy the Client ID and Client Secret from the Credentials Tab.

Now Open your Postman to execute the Get call to get the public key. If you do not have Postman then download and install from here Postman, now note down the highlighted value from the auth0 portal and pass it to the postman Get call.

https://your_unique_id_at_auth0.us.auth0.com/.well-known/jwks.json.

Execute the call then you will get the public key.

For getting access token you need to pass the Client ID & Client Secret, execute the following in postman.

https://your_unique_id_at_auth0.us.auth0.com/oauth/token.

You might get access denied as highlighted above, then you need to Authorize it as follows.

Enable the option for you registered app.

Now, Execute the API again from Postman, and you will get the access token from Auth0.

Copy the access token from postman.

Copy the public key from the postman.

Now, create a simple .Net Console project and paste your access token and public key to validate the token.

Copy and paste the below code into your console project and add the required Nuget packages and build & run the app.

using Microsoft.Identity.Client;
using Microsoft.IdentityModel.Tokens;
using System;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Cryptography.X509Certificates;
public class Program
{
    static async System.Threading.Tasks.Task Main(string[] args)
    {
        #region "JWT Validation Process"

        Console.WriteLine("Getting JWT Token...");
        string accessToken = "Your_Access_Token";
        var handler = new JwtSecurityTokenHandler();
        var jwtTokenObject = handler.ReadJwtToken(accessToken);
        Console.WriteLine("Decoding JWT and extracting claims");
        foreach (var claim in jwtTokenObject.Claims)
        {
            Console.WriteLine($"Claim Type: {claim.Type} Claim Value: {claim.Value}");
        }
        #region "Auth0 JWT Validation"
        Console.WriteLine("Loading Public Key");
        string key = "-----BEGIN CERTIFICATE-----\n" +
            "Your_Public_Key" +
            "\n-----END CERTIFICATE-----";
        byte[] bytes = System.Text.Encoding.UTF8.GetBytes(key);
        string base64String = Convert.ToBase64String(bytes);
        // Load certificate
        var certificate = new X509Certificate2(Convert.FromBase64String(base64String));
        Console.WriteLine($"Loading Certificate...");
        // Create token validation parameters
        Console.WriteLine("Passing validation parameters...");
        var validationParameters = new TokenValidationParameters
        {
            ValidIssuer = "https://your_unique_id_at_auth0.us.auth0.com/", // Provide the issuer as https://learnwithasif.us.auth0.com/
            ValidateIssuer = true,
            ValidateAudience = false,
            IssuerSigningKey = new X509SecurityKey(certificate),
            ValidateLifetime = true,
            ClockSkew = TimeSpan.Zero
        };
        Console.WriteLine($"Validating Token...");
        try
        {
            // Validate token
            var claimsPrincipal = handler.ValidateToken(accessToken, validationParameters, out var token);
            Console.WriteLine($"Token varification status: Success \n{token}");
        }
        catch (Exception ex)
        {
            Console.WriteLine("Token is not valid");
        }
        #endregion
        #endregion
    }
}

When you execute the app you will be validating JWT (Access Token) and get the final outcome.

Conclusion

Auth0 provides developers with a robust solution for managing authentication, authorization, and user management in their applications. The process of app registration, JWT generation, validation by the public key, and understanding access tokens are foundational elements in integrating Auth0's services seamlessly.

By following the outlined steps, developers can register their applications on the Auth0 dashboard, obtain unique credentials, and utilize Auth0's well-known endpoint to retrieve the public key for JWT validation. With the acquired access token, developers can securely access protected resources within their applications or APIs.

Furthermore, the provided code snippet demonstrates how to validate JWT tokens within a .NET Console project, ensuring the authenticity and integrity of access tokens issued by Auth0. By adhering to best practices in identity management and leveraging Auth0's capabilities, developers can build applications with confidence in their security and reliability.