Hello,
I have an issue regarding the JWT tokens I’m getting from Auth0 and how I’m trying to decode them on my Python backend using PyJWT. I have set my Auth0 application to use the HS256 signing algorithm. However, the JWTs I’m getting seem to be using the “dir” algorithm and “A256GCM” encryption, according to the JWT header:
{
“alg”: “dir”,
“enc”: “A256GCM”,
“iss”: “https://dev-scw75shlt3zj7drj.us.auth0.com/”
}
When I try to decode this JWT on my Python backend using the HS256 algorithm, I’m getting the error “The specified alg value is not allowed”. I understand this is because of the mismatch between the algorithm used in the JWT and the one I’m trying to use to decode it.
However, I don’t understand why the JWT is using the “dir” algorithm in the first place. I’ve checked my Auth0 application settings, and I’ve confirmed that I’m using the HS256 signing algorithm. I’ve also made sure that “OIDC Conformant” setting is turned off.
Here’s the code I’m using to get the token:
const { isAuthenticated, loginWithRedirect, logout, getAccessTokenSilently } = useAuth0();
const login = () => {
loginWithRedirect();
};
watchEffect(async () => {
if (isAuthenticated.value) {
const token = await getAccessTokenSilently({
audience: 'A5BKrZ6Ipu8mtitkYoWHted4xqrFT3q7'
});
axios.post("http://localhost:3000/register", {}, {
headers: {
Authorization: `Bearer ${token}`
}
}).then(response => {
console.log(response.data);
}).catch(error => {
console.error(error);
});
}
});
Here’s the code I’m using to decode the JWT:
@app.route(‘/register’, methods=[‘POST’])
def register():
auth_header = request.headers.get(‘Authorization’)
if not auth_header:
raise Unauthorized(‘No Authorization header provided.’)
bearer, _, token = auth_header.partition(’ ')
if bearer != ‘Bearer’:
raise Unauthorized(‘Invalid Authorization header.’)
try:
payload = jwt.decode(token, os.environ[‘AUTH0_CLIENT_SECRET’], algorithms=[‘HS256’])
print(payload)
except jwt.InvalidTokenError as error:
print(error)
raise Unauthorized(‘Invalid token.’)
user_id = payload.get(‘sub’)
if not user_id:
raise BadRequest(‘No user ID in token.’)
users[user_id] = request.json
return jsonify({‘message’: ‘User registered successfully.’})