Reputation: 1117
I have created an Auth0 client, I am logging in and receive this token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Ik1rVkdOa1l5T1VaQ1JqTkRSVE5EUmtNeU5rVkROMEUyUTBVMFJrVXdPVEZEUkVVNU5UQXpOZyJ9.eyJpc3MiOiJodHRwczovL3RvdGFsY29tbW56LmF1LmF1dGgwLmNvbS8iLCJzdWIiOiJnb29nbGUtb2F1dGgyfDEwMzI5NzA4OTYyMTk5NjUwMjY2MiIsImF1ZCI6ImxTWUtXMUZZdENkMWJLQmdXRWN0MWpCbmtDU3R2dW5SIiwiaWF0IjoxNTA5ODYyMTI1LCJleHAiOjE1MTAyMjIxMjV9.kjmckPxLJ4H9R11XiBBxSNZEvQFVEIgAY_jj2LBy4sEJozBB8ujGE7sq9vEIjMms-Lv2q9WzFQPrqcxyBcYC4Je4QojMgvqLDCodtpot0QUle8QfGmonc1vZYIZyX-wqyOXtRqhoZVEKTeLhm9Le2CV4_a3BwgjkE1LjcDx01GZfsnaId8mh10kGk-DBmr5aVc8MxglLCq5Uk8Zbl2vDc__UMDgx1eQPQg-zve4fUf8zHcxizypYTnF_v0dEAT00L2j5J41SFYdWvP6ReQ3vhVYew2o9iM6u1s75HE-xW8s4pzV4BZAQtgfgIeCd6aVGZs76bcnQXBLej1B7zaPBvA
What I am trying to do now is to verify the token using jsonwebtoken. The token is signed with an RS256 algorithm.
I downloaded the signing certificate as a .pem
and I am successfully using it to verify the token like this:
var cert = fs.readFileSync('certificate.pem');
jwt.verify(token, cert, {algorithm: 'RS256'}, (err, decoded) => {
console.log(err)
console.log(decoded)
});
What I want to do and it doesn't work is verifying the token using the secret (which is called Client Secret in the Auth0 client settings and is a string).
jwt.verify(token, MYSECRET, {algorithm: 'RS256'}, (err, decoded) => {
console.log(err)
console.log(decoded)
});
This code always throws an error:
{ JsonWebTokenError: invalid algorithm
at Object.module.exports [as verify] (C:\code\aws\learn-authorizer\node_modules\jsonwebtoken\verify.js:90:17)
at Object.<anonymous> (C:\code\aws\learn-authorizer\testme.js:25:5)
at Module._compile (module.js:624:30)
at Object.Module._extensions..js (module.js:635:10)
at Module.load (module.js:545:32)
at tryModuleLoad (module.js:508:12)
at Function.Module._load (module.js:500:3)
at Function.Module.runMain (module.js:665:10)
at startup (bootstrap_node.js:187:16)
at bootstrap_node.js:608:3 name: 'JsonWebTokenError', message: 'invalid algorithm' }
My question is: how can I verify the RS256 token using the secret key as opposed to using the certificate file? (I also tried creating a new client which is using the HS256 algorithm, but I get the same error).
Upvotes: 17
Views: 31813
Reputation: 510
hello maybe you are missing utf8 flag, this works on jsonwebtoken 9
const fs = require('fs')
const jwt = require('jsonwebtoken')
const private_key = fs.readFileSync('secret/private.key', 'utf8')
const public_key = fs.readFileSync('secret/public.pem', 'utf8')
const token = jwt.sign({
data: 'data'
}, private_key, { algorithm: 'RS256' })
const verified = jwt.verify(token, public_key, { algorithms: 'RS256'})
Upvotes: 0
Reputation: 15041
I was stuck on this too !!
problem:
steps in the following code:
const verifyJWT = async (token, verifyURL) => {
return new Promise(async (resolve, reject) => {
const result = jwt.decode(token, { complete: true });
const domainFromToken = result?.payload?.iss;
const signatureUrl = verifyURL ? verifyURL : `${domainFromToken}.well-known/jwks.json`;
const jwksResponse = await axios.get(signatureUrl).catch((exp)=>{
console.log('Error getting jwkResponse:', exp);
reject(false)
});
const jwks = jwksResponse?.data?.keys;
console.log('# of JWKS:', jwks.length, ' -trying to find:', result?.header?.kid);
const relevantKey = jwks.filter(jk => jk.kid === result?.header?.kid)[0];
console.log('relevantKey:', relevantKey);
const algoForImport = selectedKey.alg
const publicKey = await jose.importJWK(relevantKey, algoForImport);
const { payload, protectedHeader } = await jose.jwtVerify(token, publicKey, {
iss: 'issuer, get this from decoded token, or the issuer you expect',
}).catch(exp => {
console.log('exp:', exp);
reject(exp);
});
if (payload && Object.keys(payload).length > 0) {
console.log('Object.keys(payload):', Object.keys(payload));
// uncomment to take a closer look
// console.log('joseResult:', joseResult);
resolve('ok');
}
})
}
Upvotes: 0
Reputation: 2206
You need to change the third parameter of your verify method which is
{algorithm: 'RS256'} to ==>{algorithms: 'RS256'}
and make sure you write the correct name for the algorithm, It will work fine
Upvotes: 3
Reputation: 9807
You need to specify the allowed algorithms
as an Array of Strings, instead of an algorithm
String.
jwt.verify(token, MYSECRET, { algorithms: ['RS256'] });
Upvotes: 9
Reputation: 18969
If you are using only a secret key then using RS256 won't work, as it's based on a private/public key pair. Using only a secret key usually indicates H256. In my answer I assume that what you call MYSECRET
is just the content of certificate.pem
.
Anyways, I would assume your string has to contain
-----BEGIN RSA PRIVATE KEY-----
and
-----END RSA PRIVATE KEY-----
or PUBLIC instead of PRIVATE.
You can see this in source. The lines mentioned in your error message contains:
if (!~options.algorithms.indexOf(header.alg)) {
return done(new JsonWebTokenError('invalid algorithm'));
}
and options.algorithms
is defined as
if (!options.algorithms) {
options.algorithms = ~secretOrPublicKey.toString().indexOf('BEGIN CERTIFICATE') ||
~secretOrPublicKey.toString().indexOf('BEGIN PUBLIC KEY') ?
[ 'RS256','RS384','RS512','ES256','ES384','ES512' ] :
~secretOrPublicKey.toString().indexOf('BEGIN RSA PUBLIC KEY') ?
[ 'RS256','RS384','RS512' ] :
[ 'HS256','HS384','HS512' ];
}
If you don't have the RSA things at the start and end it will look for the following algorithms: 'HS256','HS384','HS512'
.
I haven't used RS256 with JWT before, but I have used it with ssh, and I know that it's very sensitive to having the header. The string has to be in the exactly correct format.
Upvotes: 14
Reputation: 5707
Have you tried setting the algorithm to "HS256"?
According to the Auth0 docs at https://auth0.com/docs/api-auth/tutorials/verify-access-token#verify-the-signature
For HS256, the API's Signing Secret is used. You can find this information at your API's Settings. Note that the field is only displayed for APIs that use HS256.
For RS256, the tenant's JSON Web Key Set (JWKS) is used. Your tenant's JWKS is https://YOUR_AUTH0_DOMAIN/.well-known/jwks.json.
Upvotes: 2