How do I verify an Auth0 JWT with Node.js > Jose?

kkrp1 · December 14, 2023, 11:41am

I’m struggling to understand what I need to do to verify my Auth0-provided JWT via Node.js and jose. Here’s what I have, taken from the jose docs:

const {payload, protectedHeader} = await jose.jwtVerify(tkn, secret);

tkn is the JWT sent from my front-end to the back-end, while secret is the value of the “secret” field in the Auth0 dashboard under my application.

This generates an error that

Key for the RS256 algorithm must be of type CryptoKey."

I read in Auth0 that JWTs of type RS256 must be validated with a private signing key. I’m not sure what this means, and since it also says that JWTs of type HS256 are instead validated with the secret, I changed my application to HS256 instead. Now when I try the above code I get:

“alg” (Algorithm) Header Parameter value not allowed

What am I doing wrong here? JWT seems very complicated

Thank you.

[ UPDATE ]

I have also read this guide, which says that to decode RS256 I need my public key. It advises that I can obtain this from application > advanced settings > certificates > signed certificate > public key. This field does not exist (at least for me).

tyf · December 15, 2023, 2:15am

Hey there @kkrp1 !

It might be easier to use the JWKS endpoint outlined at the bottom under “Usage with a public JSON Web Key Set hosted on a remote URL” in the jwtVerify documentation. Something like:

const JWKS = createRemoteJWKSet(new URL('https://{YOUR_AUTH0_DOMAIN}/.well-known/jwks.json'))

const {payload} = await jwtVerify(jwt, JWKS, {
  issuer: '{YOUR_AUTH0_DOMAIN}/',
  audience: '{YOUR_AUDIENCE}',
})

console.log(payload)

system · December 29, 2023, 2:15am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.