Connection used to fetch jwks.json is insecure

  • What are you trying to achieve? What is the use case or idea behind it?
    using webAuth.parseHash() works in Chrome but not in firefox. The issue appears to be when firefox fetches the .well-known/jwks.json file, see screenshot:

  • If this is caused by an SDK please mention the SDK along with the specific version number.
    “auth0-js”: “^9.4.1”

  • Is this easily reproducible? If not, please explain.
    Yes, using firefox with webAuth.authorize({ responseType: 'token id_token' }), when using responseType: token without id_token it works just fine.

  • If this is related to Lock / any SDK please share the SDK as well as lock initialization code or any code that is relevant.
    const webAuth = new WebAuth({ domain: process.env.REACT_APP_AUTH0_DOMAIN, clientID: process.env.REACT_APP_AUTH0_CLIENT_ID, audience: process.env.REACT_APP_API, responseType: 'token id_token', scope: 'openid profile email', redirectUri: ${window.location.origin}?authorize=true, leeway: 60, });

  • Environment-specific information (Which OS, Language Runtime + Version, Browser etc).
    Firefox v59

We’re looking into it - not sure what the issue with Firefox is given that the cert is fine

1 Like

I am also seeing odd behavior with the .well-known/jwks.json endpoint.

In Chrome, the status returns 200, but the response is empty so I get caught in an endless login loop.


For some reason this does not happen in Firefox or Chrome incognito mode. I get a response and am able to log in.

The fact it doesn’t happen on Incognito or Firefox - makes me wonder if it’s an issue with a particular extension you might be running in Chrome?

You’re right, I thought I had disabled Privacy Badger, but it was not completely disabled. That fixed my problem, thanks, but that still doesn’t solve the Firefox issue noted above.

Yeah the issue @aranard is having is one we haven’t been able to track down - it is secure and the https cert is valid and all that so it could be a Firefox issue that we can’t address

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

I’m not sure it’s Firefox specific. It happens to me in Safari as well.

Interestingly, when I load the jwks URI in its own tab everything works fine, so I don’t necessarily think it’s the cert that’s the problem. Even more interesting, if I manually make an XHR request to that URL or if I “retry” the request with Firefox Dev Tools it also succeeds.

So it’s more seeming like something with the timing of the request, perhaps relative to the other Auth0 requests that go out?

So you’re still seeing this? Can you capture a HAR file (removing any sensitive info) and send me a PM with it?

PM sent, let me know if you need anything else. But yes, still seeing it on latest Firefox and Safari. I believe we’ve also had reports of issues on Chrome on iOS as well.

FYI, I’m still seeing this behavior and have not found a fix. Are there any ideas? Is anyone else able to reproduce this?

Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!

Do you still require further assistance from us?