0

I am trying to decode a JWT I get from Auth0. When I go to jwt.io, they have a decoder that you can put a JWT in, and it will tell you all the information about each section of the JWT. I can see that all the information is correct. When I try to decode it myself though, I get this error. I'm getting the secret key from my Auth0 registered client information, and there is a note that says: The Client Secret is not base64 encoded. Do I need to base64 encode this secret before using it ?

ValueError: Could not unserialize key data.

Terminal

>>> import jwt

>>> secret = secret
>>> encoded_jwt = encoded_jwt
>>> decoded_jwt = jwt.decode(encoded_jwt, secret, algorithm="RS256")

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/jwt/api_jwt.py", line 78, in decode
    jwt, key=key, algorithms=algorithms, options=options, **kwargs
  File "/usr/local/lib/python3.6/site-packages/jwt/api_jws.py", line 140, in decode
    key, algorithms)
  File "/usr/local/lib/python3.6/site-packages/jwt/api_jws.py", line 204, in _verify_signature
    key = alg_obj.prepare_key(key)
  File "/usr/local/lib/python3.6/site-packages/jwt/algorithms.py", line 207, in prepare_key
    key = load_pem_public_key(key, backend=default_backend())
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/primitives/serialization.py", line 24, in load_pem_public_key
    return backend.load_pem_public_key(data)
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/backends/multibackend.py", line 314, in load_pem_public_key
    return b.load_pem_public_key(data)
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1110, in load_pem_public_key
    self._handle_key_loading_error()
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1325, in _handle_key_loading_error
    raise ValueError("Could not unserialize key data.")
ValueError: Could not unserialize key data.
TJB
  • 3,706
  • 9
  • 51
  • 102

1 Answers1

1

As you don't mention a PUBLIC KEY nor a PRIVATE KEY, it looks like you are trying to decode using the "RS256" algorithm, but your token uses "HS256".

try:

decoded_jwt = jwt.decode(encoded_jwt, secret, algorithm="HS256")

instead of:

decoded_jwt = jwt.decode(encoded_jwt, secret, algorithm="RS256")

You are free to encode the key using base64 if you like at this address: https://www.base64encode.org/

You can verify the encoded key by checking the "secret base64 encoded" check box at jwt.io, under the VERIFY SIGNATURE section.

Peter RD
  • 26
  • 3
  • You wouldn't happen to know how to get the public/private key from an RSA certificate would you ? At the time of writing this I thought I used my client_secret from Auth0, but now after much research know that I need a public key taken from a certificate. I managed to get the certificate but am having a lot of trouble getting the public key. – TJB Dec 20 '17 at 04:33
  • This link may help you: https://stackoverflow.com/questions/9497719/extract-public-private-key-from-pkcs12-file-for-later-use-in-ssh-pk-authenticati – Peter RD Dec 20 '17 at 05:09