I’m struggling to understand what I need to do to verify my Auth0-provided JWT via Node.js and jose. Here’s what I have, taken from the jose docs:
const {payload, protectedHeader} = await jose.jwtVerify(tkn, secret);
tkn
is the JWT sent from my front-end to the back-end, while secret
is the value of the “secret” field in the Auth0 dashboard under my application.
This generates an error that
Key for the RS256 algorithm must be of type CryptoKey."
I read in Auth0 that JWTs of type RS256 must be validated with a private signing key. I’m not sure what this means, and since it also says that JWTs of type HS256 are instead validated with the secret, I changed my application to HS256 instead. Now when I try the above code I get:
“alg” (Algorithm) Header Parameter value not allowed
What am I doing wrong here? JWT seems very complicated
Thank you.
[ UPDATE ]
I have also read this guide, which says that to decode RS256 I need my public key. It advises that I can obtain this from application > advanced settings > certificates > signed certificate > public key. This field does not exist (at least for me).