Node-jsonwebtoken: Could not verify token generated by Auth0

Created on 23 Dec 2015  路  6Comments  路  Source: auth0/node-jsonwebtoken

I am trying to verify a token created by Auth0, but am unable to do so using this library.

I am using the following token:

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJqdGkiOiI0N2RlYWE1Ny00YzFjLTRlYjktOTdjZS1hNDMwMjUzNTE3OTUiLCJlbWFpbCI6ImFudmFyQGthcmltc29uLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ1c2VyX2lkIjoiYXV0aDB8NTY0Nzg4YjYwNzc2NWMzMjFlMWU3MmM5IiwibmFtZSI6ImFudmFyQGthcmltc29uLmNvbSIsImlzcyI6Imh0dHBzOi8vcXVhbnQtdGVjaG5vbG9naWVzLmV1LmF1dGgwLmNvbS8iLCJzdWIiOiJhdXRoMHw1NjQ3ODhiNjA3NzY1YzMyMWUxZTcyYzkiLCJhdWQiOiJqd2lGcHpCcDVTWnd5elR4dm1jY1Y3YmlFTmJkNXBwUyIsImV4cCI6MTQ1MDkzNzYwMSwiaWF0IjoxNDUwODY1NjAxfQ.kiXE6zmFcesCnwwFXiXrCkXK_x4ZZwsJjs0fxcdDPPE

The client secret used is myClientSecret, and I can successfully verify it using the debugger at jwt.io but the following code consistently fails with an invalid signature error message.

var token = ...;
var secret = 'myClientSecret';
JWT.verify(token, secret, function (err, decoded) {
  console.info(err); // { [JsonWebTokenError: invalid signature] name: 'JsonWebTokenError', message: 'invalid signature' }
  console.info(decoded); // undefined
});

Most helpful comment

Hey @anvar, looks like an encoding issue:

var JWT = require("jsonwebtoken");
var token = ...;
var secret = new Buffer("myClientSecret", "base64");
JWT.verify(token, secret, function (err, decoded) {
    console.info(err); // [TokenExpiredError: jwt expired], which means the signature is valid
    console.info(decoded); // undefined
});

Weird that "stringifying" the buffer doesn't work though:

var JWT = require("jsonwebtoken");
var token = ...;
var secret = new Buffer("myClientSecret", "base64").toString();
JWT.verify(token, secret, function (err, decoded) {
    console.info(err); // [JsonWebTokenError: invalid signature]
    console.info(decoded); // undefined
});

All 6 comments

Hey @anvar, looks like an encoding issue:

var JWT = require("jsonwebtoken");
var token = ...;
var secret = new Buffer("myClientSecret", "base64");
JWT.verify(token, secret, function (err, decoded) {
    console.info(err); // [TokenExpiredError: jwt expired], which means the signature is valid
    console.info(decoded); // undefined
});

Weird that "stringifying" the buffer doesn't work though:

var JWT = require("jsonwebtoken");
var token = ...;
var secret = new Buffer("myClientSecret", "base64").toString();
JWT.verify(token, secret, function (err, decoded) {
    console.info(err); // [JsonWebTokenError: invalid signature]
    console.info(decoded); // undefined
});

That fixed it, @pscanf, thank you! How peculiar! I guess it might be expecting a buffer, not a string perhaps. I even tried base64 encoding the string manually and using that, but to no avail.

Thanks @pscanf!

The base64-decoded version of the client secret may not be able to be represented as a printable string in javascript.

Update: December 2016:

If you are using a base64 URL-encoded secret, you need to pass a Buffer with base64 encoding as the secret.

But since december 2016 Auth0 no longer stores client Secret with Base64 encoding (https://auth0.com/forum/t/client-secret-stored-without-base64-encoding).

This code is working for me:

var jwt = require('express-jwt');

var auth_secret = "auth0 secret";
var auth_client = "auth0 client";

var authCheck = jwt({
    secret: auth_secret,
    audience: auth_client
});


@aleixx thanks it works like a charm without base64 encoding :)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

shea256 picture shea256  路  3Comments

p-brighenti picture p-brighenti  路  4Comments

BarukhOr picture BarukhOr  路  4Comments

glowlabs picture glowlabs  路  3Comments

prevostc picture prevostc  路  4Comments