[JWT] Read and Validate token

Forge Component
Published on 2018-10-10 by João Almeida
4 votes
Published on 2018-10-10 by João Almeida

Dear ,

How to read and Validate JWT token , it seems it still not implemented yet .

Kindly suggest us.

Thanks and regards

Rajashekar Reddy Ette

Hi Rajashekar,

sorry but the version in Forge still doesn't have the logic to read and validate token, we have that implemented but haven't published because it's not stable.

Hello Joäo,

When I use your component to Create a Token the ReadAndValidateToken works correct.

However when I create a token using https://auth0.com/ as issuer, I can read the token, but not validate it. When I validate the token on http://jwt.io it says it has a valid signature.

I noticed on your last post that the read and validate token functionality is not yet stable. Do you have plans to work on it?



I got it working, my own mistake.

Hi Daniël, Glad you got to have it working.

Hi Again,

I got HS256 working. 

However customer, unfortunately didn't tell on forhand that he wanted me to use RS256 instead of HS256.

I need to use Oauth issuer that they have defined on https://auth0.com/.

So I only use your functionality to validate a token that I receive when the system from my customer calls my OutSystems Rest API. The problem I face is I get the exception as highlighted in your code below.

If I validate the token on jwt.io it says that the signature is valid.

I can read the token succesfully without validation.

What I do not understand from the error message is why it says 'Validate if key private key is in PEM format', as far as I understood I have to provide the public key (PEM signature).

Do you have experience with using your ReadToken function to validate a token issued by a www.autho0.com api?

The public key I use in my test senario is accessible via https://danielkuhlmann.eu.auth0.com/.well-known/jwks.json

(the x5c part of the returned json structure)



Hi Daniel, I've never tested with Auth0 tokens, let me test your scenario and I'll get back to you.

The current implementation doesn't support correctly keys in x509 format, the one used in JWKS structures. I'm working to fix that, and also add better support for pulling keys from JWKS. 

Hi Daniel, I already a working version that allows validating tokens with x509 certificates, and even has support for JWKS. Let me do another round of testing and I publish a new version in the Forge.

Hi João,

Thanks for the quick support, truly appreciated.



Hi Daniel, I have a new version of the component in the Forge, version 2.2.0. You can use as it is right now with the x5c field, but you'll need to wrap it with "-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----" delimiters. You can use new actions that make easier to sign with Json Web Key and Json Web Key Sets.

Take a look, there's also a new page to test the features for JWKS:


Hi João,

I will give it a try first thing tomorrow morning.



Hi João,

I've downloaded your latest version, and can confirm that now I can correctly validate a JWT token that is encrypted with RS256.

Thanks again for the quick and professional support.