Node-jsonwebtoken: Incorrect invalid algorithm error

Created on 20 Dec 2018  路  6Comments  路  Source: auth0/node-jsonwebtoken

this works:

require('jsonwebtoken').verify('eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM', `-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd
UWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs
HUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D
o2kQ+X5xK9cipRgEKwIDAQAB
-----END PUBLIC KEY-----`)

(example from jwt.io)

This gives invalid algorithm instead of complaining about the key:

require('jsonwebtoken').verify('eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM', `a`)

Most helpful comment

Did you notice that jwt.verify(token, cert, { algorithms: ['RS256']})? It's algorithms, not algorithm.

All 6 comments

It could also complain about the signature not being valid.

But there is CERTAINLY no problem with the algorithm header spec in the jwt...

{"alg":"RS256","typ":"JWT"} is valid.

Did you notice that jwt.verify(token, cert, { algorithms: ['RS256']})? It's algorithms, not algorithm.

@Masterxilo when you pass a public key as secret/key to verify function the library has some code to infer the accepted algorithms, thus when the JWT contains RS256 it is accepted as valid.
However, when you passed a plain string a the library couldn't infer anything so you need to specify the accepted algorithms (like @hbrls mentioned), otherwise you get the invalid algorithm error.

Hi @ziluvatar
I faced exactly the same issue as @Masterxilo, using algorithm instead of algorithms.
What about implement a fallback in the library ? This would be helpful.

Did you notice that jwt.verify(token, cert, { algorithms: ['RS256']})? It's algorithms, not algorithm.

Thanks, this was really helpful.

Was this page helpful?
0 / 5 - 0 ratings