Verifying Auth0 JWT throws invalid algorigthm

Question

I have created an Auth0 client, I am logging in and receive this token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVkdOa1l5T1VaQ1JqTkRSVE5EUmtNeU5rVkROMEUyU         


        

Answer 1

If you are using only a secret key then using RS256 won't work, as it's based on a private/public key pair. Using only a secret key usually indicates H256. In my answer I assume that what you call MYSECRET is just the content of certificate.pem.

Anyways, I would assume your string has to contain

-----BEGIN RSA PRIVATE KEY-----

and

-----END RSA PRIVATE KEY-----

or PUBLIC instead of PRIVATE.

You can see this in source. The lines mentioned in your error message contains:

if (!~options.algorithms.indexOf(header.alg)) {
  return done(new JsonWebTokenError('invalid algorithm'));
}

and options.algorithms is defined as

if (!options.algorithms) {
  options.algorithms = ~secretOrPublicKey.toString().indexOf('BEGIN CERTIFICATE') ||
                       ~secretOrPublicKey.toString().indexOf('BEGIN PUBLIC KEY') ?
                        [ 'RS256','RS384','RS512','ES256','ES384','ES512' ] :
                       ~secretOrPublicKey.toString().indexOf('BEGIN RSA PUBLIC KEY') ?
                        [ 'RS256','RS384','RS512' ] :
                        [ 'HS256','HS384','HS512' ];

}

If you don't have the RSA things at the start and end it will look for the following algorithms: 'HS256','HS384','HS512'.

I haven't used RS256 with JWT before, but I have used it with ssh, and I know that it's very sensitive to having the header. The string has to be in the exactly correct format.