Verifying Auth0 JWT throws invalid algorigthm

Question

I have created an Auth0 client, I am logging in and receive this token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVkdOa1l5T1VaQ1JqTkRSVE5EUmtNeU5rVkROMEUyU         


        

Answer 1

You need to specify the allowed algorithms as an Array of Strings, instead of an algorithm String.

jwt.verify(token, MYSECRET, { algorithms: ['RS256'] });

Answer 2

You need to change the third parameter of your verify method which is

{algorithm: 'RS256'} to ==>{algorithms: 'RS256'}

and make sure you write the correct name for the algorithm, It will work fine

Answer 3

If you are using only a secret key then using RS256 won't work, as it's based on a private/public key pair. Using only a secret key usually indicates H256. In my answer I assume that what you call MYSECRET is just the content of certificate.pem.

Anyways, I would assume your string has to contain

-----BEGIN RSA PRIVATE KEY-----

and

-----END RSA PRIVATE KEY-----

or PUBLIC instead of PRIVATE.

You can see this in source. The lines mentioned in your error message contains:

if (!~options.algorithms.indexOf(header.alg)) {
  return done(new JsonWebTokenError('invalid algorithm'));
}

and options.algorithms is defined as

if (!options.algorithms) {
  options.algorithms = ~secretOrPublicKey.toString().indexOf('BEGIN CERTIFICATE') ||
                       ~secretOrPublicKey.toString().indexOf('BEGIN PUBLIC KEY') ?
                        [ 'RS256','RS384','RS512','ES256','ES384','ES512' ] :
                       ~secretOrPublicKey.toString().indexOf('BEGIN RSA PUBLIC KEY') ?
                        [ 'RS256','RS384','RS512' ] :
                        [ 'HS256','HS384','HS512' ];

}

If you don't have the RSA things at the start and end it will look for the following algorithms: 'HS256','HS384','HS512'.

I haven't used RS256 with JWT before, but I have used it with ssh, and I know that it's very sensitive to having the header. The string has to be in the exactly correct format.

Answer 4

Have you tried setting the algorithm to "HS256"?

According to the Auth0 docs at https://auth0.com/docs/api-auth/tutorials/verify-access-token#verify-the-signature

For HS256, the API's Signing Secret is used. You can find this information at your API's Settings. Note that the field is only displayed for APIs that use HS256.

For RS256, the tenant's JSON Web Key Set (JWKS) is used. Your tenant's JWKS is https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json.