JWT Fraudulent Token Exception

[Mattia Micomonaco]

Hi. I'm using Auth0Provider and JWTAuthenticator. When the authenticator tries to verify id_token returned by Auth0, the exception "java.lang.IllegalArgumentException: Fraudulent JWT token" is thrown.
By inspecting the source code, I noticed that this means that the expected signature and the signature are not equal. I'm sure that the client secret is correct because the validation of the id_token and the client secret with https://jwt.io/ is successful.
The client secret given by Auth0 Dashboard is in Base64 format. I tried to set the client secret in JWTAuthenticatorSettings in different formats (Base64 or decoded in UTF-8) but it didn't work.
Do you know in which format should I pass the client secret? Or do you have any suggestions in how to solve this problem?
Thanks in advance.
Mattia

[Christian Kaps]

The secret must be passed as plain string. Maybe the signing algorithms differ. Atlassian JWT on which Silhouette depends supports only HMAC SHA-256.

[Mattia Micomonaco]

What do you mean with "plain string"? Auth0 client secret is in Base64. Should I use a decoded secret?
However, also Auth0 uses HMAC SHA-256 as signing algorithm. I don't know if there is some difference in the implementation of HMAC in Silhouette and Auth0.
Thanks for your reply.

Best regards,
Mattia.

[Christian Kaps]

I've no idea how Auth0 uses the secret to sign the token. Silhouette doesn't encode the passed string as base64. It passes the plain string as defined in the config to the Atlassian JWT components.

Best regards,

Christian