Open Pixelatex opened 3 years ago
Thanks for submitting this issue.
What alg
value is in the header of access token? (You can parse JWT here for example)
The only supported alg in jwt-verifier is RS256
aha mine is:
{
"alg": "HS512"
}
I used https://mkjwk.org/
to generate a token as RS256 but now they keep coming back as signature invalid in jwt.io.
Example jwt:
eyJraWQiOiJpcnE0SHduaFlFNzBBZ3BJZ3FvNDVHUVFZMkk0TjRBNUkxVVpkdHE2Q0p3IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnhQejBrdjM2OTNhZUpHSUZfWUtrTVZCdmE5ZjhjR0hTV0RWN1BWbXlIQWciLCJpc3MiOiJodHRwczovL2JvdGhycy5va3RhLmNvbSIsImF1ZCI6Imh0dHBzOi8vYm90aHJzLm9rdGEuY29tIiwic3ViIjoiZXdhcmRAYm90aHJzLmNvbSIsImlhdCI6MTYyMDc0NjEyMiwiZXhwIjoxNjIwNzQ5NzIyLCJjaWQiOiIwb2FvMW8yNzJ3WDB5T0YyMjVkNiIsInVpZCI6IjAwdW54MjM3dXVIZnlOQVVzNWQ2Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCIsImdyb3VwcyJdfQ.DhhTXtk9V3aMwg5gXng6oLztVEk6bLR6lAT8uzgeEB50_9fvtdntuua64mFhZzfqRBDH0sb4WAxUIHu-TeulSxn1LfcwTz43FdnHHm_FEAfNMCjXhp3Nnp2P9zToMruGG0gVNvMjeR-j1EU4XU6VW8lRDoTCeb8z1NJlBkqHFaOyjOjngal1caINfLyzf9VzUQnnmadHgo-hfBZQmU281SFFSSrMoj9mmrlAM_az7d2NLxabqRHNjvFuPQ1SeskUVhFm0SDMUJlrmjeVWbjX7FdIdUZeuPj2INfXhHKoPXR8zuZziyh93KNso1lBdRwK-p5SSXBdtmCTGUVmGT3xWg
@denysoblohin-okta
straight from the okta documentation:
algorithm(dropdown): Okta Workflows supports the following types of JWT encryption:
HS256 (default)
HS384
HS512
RS256
RS384
RS512
ES256
ES384
ES512
PS265
PS384
PS512
Then why is only RS256 supported?
In jwt-verifier code RS256 is set here: https://github.com/okta/okta-oidc-js/blob/40fe1dad11df4178eff20f6edd268877fb964ce7/packages/jwt-verifier/lib.js#L140
@aarongranick-okta Can we improve this in njwt and jwt-verifier to allow different signing algorithms?
Especially because HS256 is the default setting here :/
I'm submitting this issue for the package(s):
I'm submitting a:
Current behavior
A user has an okta accesstoken used in my application that gets sent as a header to my backend API. In the backend I run the jwt-verifier nodeJS package to ensure that the person accessing the API is actually authorised to do so. This verify should return wether or not the token is valid.
Expected behavior
The verify function errors out and gives me the
[JwtParseError: Unexpected signature algorithm]
error.Minimal reproduction of the problem with instructions
Below is my verify setup.
Environment
node -v
): v15.14.0