I’m trying to verify an idtoken issued by our new auth application, but it is failing… We also have another application on a different tenant which is working, but the idtoken looks very different.
This is a idToken issued by our working (5 years old) auth0 application:
On our backend we are verifying it and grabbing the email like so:
const result = jwt.verify(token, clientSecret, { audience: auth0ClientId });
In our new app we have create a new tenant and setup a universal login page. we are using react SPA SDK. When user logs in on our frontend through that auth0 login page, I am getting the idToken like this:
this.state.auth0Client.getIdTokenClaims().then(data => {
const auth0Token = data.__raw;
.... send token to be verified on backend
});
this token that I get in __raw looks different than the one we get in our other app. It looks like this:
When trying to verify this token I first got th error: invalid algorithm
I notice that this token is encoded with RS256 and not HS256 like the one issued by our other app… Why is that?
Anyway, I have tried to change the verification by parsing in an algorithm array in the options like so:
const result = jwt.verify(token, clientSecret, { audience: auth0ClientId, algorithms: ['RS256'] });
However, this also does not work I get a different error:
{
library: ‘PEM routines’,
function: ‘get_name’,
reason: ‘no start line’,
code: ‘ERR_OSSL_PEM_NO_START_LINE’
}
1. Why are the two idTokens so different, both in terms of encoding algorithm but also what they contain?
2. How can I solve this?