I was using lock embedded on a SPA. I retrieve the JWT after login and pass it to AWS lambda functions, which then use JsonWebToken library’s verify call to validate the signature of the token. The lambda functions have the secret key for the app, so with HS256 used as the algorithm there was no issue, it checked the signature, all good.
Poor discipline on my part but when I tested all this on my test application the migration to hosted pages worked fine so pushed it all to production and all seemed well, I can’t be certain. Then users recently said they could get their info retrieved in the SPA, root cause is the JWT is now signed with RS256 so verify is failing, as it only has the secret.
I’m at a loss as how to force the hosted login page to return a HS256 signed JWT. Other posts here suggest it’s because Auth0 have decided an SPA isn’t secure enough to handle a HS256 signed JWT because it would need the secret key to verify it - yep, agree totally with that logic but my SPA doesn’t need to verify it, a secured back end process does.
So either I need to force Auth0 hosted login page to return a HS256 signed JWT or make JsonWebToken understand how to use RS256, which seems (from looking at the code) that I need to provide the public key in the verify call. I don’t know what best practices are there, ie embed the public key in the code or go get it from somewhere.
Thanks in advance!