this works:
require('jsonwebtoken').verify('eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM', `-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdlatRjRjogo3WojgGHFHYLugd
UWAY9iR3fy4arWNA1KoS8kVw33cJibXr8bvwUAUparCwlvdbH6dvEOfou0/gCFQs
HUfQrSDv+MuSUMAe8jzKE4qW+jK+xQU9a03GUnKHkkle+Q0pX/g6jXZ7r1/xAK5D
o2kQ+X5xK9cipRgEKwIDAQAB
-----END PUBLIC KEY-----`)
(example from jwt.io)
This gives invalid algorithm instead of complaining about the key:
require('jsonwebtoken').verify('eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.TCYt5XsITJX1CxPCT8yAV-TVkIEq_PbChOMqsLfRoPsnsgw5WEuts01mq-pQy7UJiN5mgRxD-WUcX16dUEMGlv50aqzpqh4Qktb3rk-BuQy72IFLOqV0G_zS245-kronKb78cPN25DGlcTwLtjPAYuNzVBAh4vGHSrQyHUdBBPM', `a`)
It could also complain about the signature not being valid.
But there is CERTAINLY no problem with the algorithm header spec in the jwt...
{"alg":"RS256","typ":"JWT"} is valid.
Did you notice that jwt.verify(token, cert, { algorithms: ['RS256']})? It's algorithms, not algorithm.
@Masterxilo when you pass a public key as secret/key to verify function the library has some code to infer the accepted algorithms, thus when the JWT contains RS256 it is accepted as valid.
However, when you passed a plain string a the library couldn't infer anything so you need to specify the accepted algorithms (like @hbrls mentioned), otherwise you get the invalid algorithm error.
Hi @ziluvatar
I faced exactly the same issue as @Masterxilo, using algorithm instead of algorithms.
What about implement a fallback in the library ? This would be helpful.
Did you notice that
jwt.verify(token, cert, { algorithms: ['RS256']})? It'salgorithms, notalgorithm.
Thanks, this was really helpful.
Most helpful comment
Did you notice that
jwt.verify(token, cert, { algorithms: ['RS256']})? It'salgorithms, notalgorithm.