Auth0 Home Blog Docs

Connection used to fetch jwks.json is insecure

auth0js
jwks

#1
  • What are you trying to achieve? What is the use case or idea behind it?
    using webAuth.parseHash() works in Chrome but not in firefox. The issue appears to be when firefox fetches the .well-known/jwks.json file, see screenshot:

  • If this is caused by an SDK please mention the SDK along with the specific version number.
    "auth0-js": "^9.4.1"

  • Is this easily reproducible? If not, please explain.
    Yes, using firefox with webAuth.authorize({ responseType: 'token id_token' }), when using responseType: token without id_token it works just fine.

  • If this is related to Lock / any SDK please share the SDK as well as lock initialization code or any code that is relevant.
    const webAuth = new WebAuth({ domain: process.env.REACT_APP_AUTH0_DOMAIN, clientID: process.env.REACT_APP_AUTH0_CLIENT_ID, audience: process.env.REACT_APP_API, responseType: 'token id_token', scope: 'openid profile email', redirectUri:${window.location.origin}?authorize=true, leeway: 60, });

  • Environment-specific information (Which OS, Language Runtime + Version, Browser etc).
    Firefox v59


#2

We’re looking into it - not sure what the issue with Firefox is given that the cert is fine


#3

I am also seeing odd behavior with the .well-known/jwks.json endpoint.

In Chrome, the status returns 200, but the response is empty so I get caught in an endless login loop.


For some reason this does not happen in Firefox or Chrome incognito mode. I get a response and am able to log in.


#4

The fact it doesn’t happen on Incognito or Firefox - makes me wonder if it’s an issue with a particular extension you might be running in Chrome?


#5

You’re right, I thought I had disabled Privacy Badger, but it was not completely disabled. That fixed my problem, thanks, but that still doesn’t solve the Firefox issue noted above.


#6

Yeah the issue @aranard is having is one we haven’t been able to track down - it is secure and the https cert is valid and all that so it could be a Firefox issue that we can’t address