Auth0 token - Node Jsonwebtoken - Cloudflare Workers

tools1 · June 9, 2022, 11:35pm

Hello!

I’m using the react auth0 provider to get an Auth0 token.
I’m taking this TOKEN and passing it via url param (as a test for now, eventually it would be a header) and try to decode it using jsonwebtoken verify function
The token is not getting verified.

This is my code (I’m setting type = “webpack” in my wrangler.toml so I can import modules):

import { verify } from 'jsonwebtoken'

addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  const url = new URL(request.url)
  const { searchParams } = url
  let token = searchParams.get('token')

  if (url.pathname === '/auth') {
    try {
      verify(
        token,
        STRING_SECRET,
        { algorithms: ['RS256'] },
        function(err, payload) {
          console.log('payload', err, payload)
        },
      )
    } catch (err) {
      console.log('error decoding', err.message, err.name)
    }
  }

  return new Response('No response', {
    headers: { 'content-type': 'text/plain' },
  })
}

The console.log(‘payload’, err, payload) is not showing an err or a payload . This is what the Cloudflare logs are showing:

"logs": [
    {
      "message": [
        "payload",
        {},
        null
      ],
      "level": "log",
      "timestamp": 1654695913617
    }
  ],

How can I verify this token? Appreciate any ideas.

Thank you!

dan.woda · June 16, 2022, 9:39pm

Hi @tools1,

Welcome to the Auth0 Community!

Are you seeing a valid token in your worker? You can print it and decode manually using jwt.io.

Is your secret set up correctly? You may want to consider fetching it directly from your tenant using the code snippet here:

github.com

auth0/node-jsonwebtoken/blob/master/README.md?plain=1#L217


      
          var cert = fs.readFileSync('public.pem');  // get public key
          jwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer', jwtid: 'jwtid' }, function(err, decoded) {
            // if jwt id mismatch, err == invalid jwt id
          });
          
          
// verify subject
          var cert = fs.readFileSync('public.pem');  // get public key
          jwt.verify(token, cert, { audience: 'urn:foo', issuer: 'urn:issuer', jwtid: 'jwtid', subject: 'subject' }, function(err, decoded) {
            // if subject mismatch, err == invalid subject
          });
          
          
// alg mismatch
          var cert = fs.readFileSync('public.pem'); // get public key
          jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {
            // if token alg != RS256,  err == invalid signature
          });
          
          
// Verify using getKey callback
          // Example uses https://github.com/auth0/node-jwks-rsa as a way to fetch the keys.
          var jwksClient = require('jwks-rsa');
          var client = jwksClient({

benstechlab · July 25, 2022, 9:05pm

Hi @dan.woda, FYI the provided solution above doesn’t actually work in Cloudflare Workers - but at no fault of Auth0. The node-jsonwebtoken and jwks-rsa packages require nodejs builtins and globals. Cloudflare Workers is nodejs “like”, but not actually full nodejs apis. They do offer the ability to turn on a compatibility mode which uses https://github.com/ionic-team/rollup-plugin-node-polyfills/ to emulate all the nodejs stuff. But sadly it still fails with the jwks-rsa package.

The most obvious dependency here is using the nodejs http and https libraries to make requests instead of the fetch api which are now standardized in all browsers and nodejs >=17.5. The same would apply to the nodejs crypto module vs browser JS crypto APIs.

Also FYI, Cloudflare removed their Workers+Auth0 blog post/sample this year due to a security flaw (I think it was not validating the JWT after it was returned from authorization server). So there is no good samples available today for CloudFlare+Auth0.

Ideally, the auth0 packages would be updated to have the option of using browser native APIs for http requests and crypto. But I realize that may not be a quick/easy task.

dan.woda · July 25, 2022, 9:22pm

@benstechlab Thanks for the added info!