Unable to Verify aud Claim

vbuser2004 · April 12, 2020, 2:05pm

I am having difficulty getting the jsonwebtoken verify function to work correctly.

The audience (aud) will either not verify (even though it is the same as what was in the jwt originally), or it will verify even if the content of aud is different from what was originally in the jwt.

I am signing my jwt using the following:

jwt.sign({aud: "example.com"}, privateKey, {algorithm: 'RS256'})

If I use the following to verify I get an ‘JsonWebTokenError: jwt audience invalid. expected: example.com’ even though audience is ‘example.com’

    jwt.verify(token, privateKey, { 
                        algorithms: ['RS256'], 
                        audience: "example.com"}, //GET ERROR ALWAYS 
                        (err, decoded) => {
                        if(err) {
                            console.log('Error: ' + err)

                        } else{
                            console.log('Decoded: ' + JSON.stringify(decoded))
                            return decoded
                        }
                    })

If I use ‘aud’ for the verification - it verifies even if I put in bad data.

jwt.verify(token, privateKey, { 
                    algorithms: ['RS256'], 
                    aud: "not what was in token"}, //ALWAYS VERIFIES 
                    (err, decoded) => {
                    if(err) {
                        console.log('Error: ' + err)

                    } else{
                        console.log('Decoded: ' + JSON.stringify(decoded))
                        return decoded
                    }
                })

I have tried signing the token using ‘audience’ (instead of ‘aud’), but have the same issue. Is there something I am missing? Any help would be greatly appreciated! Thanks

Environment

NodeJS - v10.16.2
jsonwebtoken - v8.5.1

Posted this question on Stackoverflow too.

jmangelo · April 13, 2020, 1:26pm

That’s weird, just tried with the code you shared (updated for HS256 for simplicity) and it worked as expected.

For reference here’s the code I used to test at (https://repl.it/):

const jwt = require('jsonwebtoken');

let token = jwt.sign({aud: "example.com"}, "Zim0C08g-0yW3P8FKGve0td_a0y4jqX-hkkMejMg9l2ri7SLj0K-n0_myBCWyLaP", {algorithm: 'HS256'});

jwt.verify(token, "Zim0C08g-0yW3P8FKGve0td_a0y4jqX-hkkMejMg9l2ri7SLj0K-n0_myBCWyLaP", { 
    algorithms: ['HS256'], 
    audience: "example.com"},
    (err, decoded) => {
    if(err) {
        console.log('Error: ' + err)

    } else{
        console.log('Decoded: ' + JSON.stringify(decoded))
        return decoded
    }
})

Can you reproduce the error with HS256 and if yes, share the full test code exactly as you executed it?

vbuser2004 · April 13, 2020, 11:51pm

Hi,
I tried it again using HS and it worked. There must have been some other issue.

Thank you for your help!

PS The link you listed was for something else - just FYI

konrad.sopala · April 14, 2020, 11:09am

Glad you have sorted it out guys!

jmangelo · April 16, 2020, 8:34am

My bad on the link, will edit it; I picked the first Google result for a Node.js playground and modified it and then just grabbed the original link without thinking on the consequences.

Topic		Replies	Views
Jwt verification error Help jwt , auth0	3	7368	September 4, 2019
Need help in jwt verification Help jwt , verification	4	5311	September 3, 2019
Unable to verify jwt generated by auth0 Help token , jwt , webtask , auth0js	6	12817	March 2, 2018
Validate access token failing Help apis , application	10	889	January 17, 2024
Golang validation failed, invalid audience claim (aud) Help jwt , auth0	1	1940	July 18, 2022

Unable to Verify aud Claim

Environment

Related Topics