I am trying to verify a token created by Auth0, but am unable to do so using this library.
I am using the following token:
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqdGkiOiI0N2RlYWE1Ny00YzFjLTRlYjktOTdjZS1hNDMwMjUzNTE3OTUiLCJlbWFpbCI6ImFudmFyQGthcmltc29uLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ1c2VyX2lkIjoiYXV0aDB8NTY0Nzg4YjYwNzc2NWMzMjFlMWU3MmM5IiwibmFtZSI6ImFudmFyQGthcmltc29uLmNvbSIsImlzcyI6Imh0dHBzOi8vcXVhbnQtdGVjaG5vbG9naWVzLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1NjQ3ODhiNjA3NzY1YzMyMWUxZTcyYzkiLCJhdWQiOiJqd2lGcHpCcDVTWnd5elR4dm1jY1Y3YmlFTmJkNXBwUyIsImV4cCI6MTQ1MDkzNzYwMSwiaWF0IjoxNDUwODY1NjAxfQ.kiXE6zmFcesCnwwFXiXrCkXK_x4ZZwsJjs0fxcdDPPE
The client secret used is myClientSecret, and I can successfully verify it using the debugger at jwt.io but the following code consistently fails with an invalid signature error message.
var token = ...;
var secret = 'myClientSecret';
JWT.verify(token, secret, function (err, decoded) {
console.info(err); // { [JsonWebTokenError: invalid signature] name: 'JsonWebTokenError', message: 'invalid signature' }
console.info(decoded); // undefined
});
Hey @anvar, looks like an encoding issue:
var JWT = require("jsonwebtoken");
var token = ...;
var secret = new Buffer("myClientSecret", "base64");
JWT.verify(token, secret, function (err, decoded) {
console.info(err); // [TokenExpiredError: jwt expired], which means the signature is valid
console.info(decoded); // undefined
});
Weird that "stringifying" the buffer doesn't work though:
var JWT = require("jsonwebtoken");
var token = ...;
var secret = new Buffer("myClientSecret", "base64").toString();
JWT.verify(token, secret, function (err, decoded) {
console.info(err); // [JsonWebTokenError: invalid signature]
console.info(decoded); // undefined
});
That fixed it, @pscanf, thank you! How peculiar! I guess it might be expecting a buffer, not a string perhaps. I even tried base64 encoding the string manually and using that, but to no avail.
Thanks @pscanf!
The base64-decoded version of the client secret may not be able to be represented as a printable string in javascript.
Update: December 2016:
If you are using a base64 URL-encoded secret, you need to pass a Buffer with base64 encoding as the secret.
But since december 2016 Auth0 no longer stores client Secret with Base64 encoding (https://auth0.com/forum/t/client-secret-stored-without-base64-encoding).
This code is working for me:
var jwt = require('express-jwt');
var auth_secret = "auth0 secret";
var auth_client = "auth0 client";
var authCheck = jwt({
secret: auth_secret,
audience: auth_client
});
@aleixx thanks it works like a charm without base64 encoding :)
Most helpful comment
Hey @anvar, looks like an encoding issue:
Weird that "stringifying" the buffer doesn't work though: