Unable to Verify aud Claim

vbuser2004 · April 12, 2020, 2:05pm

I am having difficulty getting the jsonwebtoken verify function to work correctly.

The audience (aud) will either not verify (even though it is the same as what was in the jwt originally), or it will verify even if the content of aud is different from what was originally in the jwt.

I am signing my jwt using the following:

jwt.sign({aud: "example.com"}, privateKey, {algorithm: 'RS256'})

If I use the following to verify I get an ‘JsonWebTokenError: jwt audience invalid. expected: example.com’ even though audience is ‘example.com’

    jwt.verify(token, privateKey, { 
                        algorithms: ['RS256'], 
                        audience: "example.com"}, //GET ERROR ALWAYS 
                        (err, decoded) => {
                        if(err) {
                            console.log('Error: ' + err)

                        } else{
                            console.log('Decoded: ' + JSON.stringify(decoded))
                            return decoded
                        }
                    })

If I use ‘aud’ for the verification - it verifies even if I put in bad data.

jwt.verify(token, privateKey, { 
                    algorithms: ['RS256'], 
                    aud: "not what was in token"}, //ALWAYS VERIFIES 
                    (err, decoded) => {
                    if(err) {
                        console.log('Error: ' + err)

                    } else{
                        console.log('Decoded: ' + JSON.stringify(decoded))
                        return decoded
                    }
                })

I have tried signing the token using ‘audience’ (instead of ‘aud’), but have the same issue. Is there something I am missing? Any help would be greatly appreciated! Thanks

Environment

NodeJS - v10.16.2
jsonwebtoken - v8.5.1

Posted this question on Stackoverflow too.

jmangelo · April 13, 2020, 1:26pm

That’s weird, just tried with the code you shared (updated for HS256 for simplicity) and it worked as expected.

For reference here’s the code I used to test at (https://repl.it/):

const jwt = require('jsonwebtoken');

let token = jwt.sign({aud: "example.com"}, "Zim0C08g-0yW3P8FKGve0td_a0y4jqX-hkkMejMg9l2ri7SLj0K-n0_myBCWyLaP", {algorithm: 'HS256'});

jwt.verify(token, "Zim0C08g-0yW3P8FKGve0td_a0y4jqX-hkkMejMg9l2ri7SLj0K-n0_myBCWyLaP", { 
    algorithms: ['HS256'], 
    audience: "example.com"},
    (err, decoded) => {
    if(err) {
        console.log('Error: ' + err)

    } else{
        console.log('Decoded: ' + JSON.stringify(decoded))
        return decoded
    }
})

Can you reproduce the error with HS256 and if yes, share the full test code exactly as you executed it?

vbuser2004 · April 13, 2020, 11:51pm

Hi,
I tried it again using HS and it worked. There must have been some other issue.

Thank you for your help!

PS The link you listed was for something else - just FYI

konrad.sopala · April 14, 2020, 11:09am

Glad you have sorted it out guys!

jmangelo · April 16, 2020, 8:34am

My bad on the link, will edit it; I picked the first Google result for a Node.js playground and modified it and then just grabbed the original link without thinking on the consequences.