I troubleshot this some more and am still coming up empty. I started by adding breakpoints at the entry point of jwt-express.
I’m able to follow the trail to the jwa library verify method. My breakpoint at this line of code show values for both the public key and the signature. I have verified the public key is the key retrieved from .well-known/jwks.json, and I ensured the signature is the last portion of my JWT token.
I have no idea what I could be doing wrong, and after a couple hours of troubleshooting about to throw in the towel for HS256
Still unable to find a resolution. Tried changing my app to HS256, then saw a post where native apps are forcibly issued RS256 tokens because native client’s can’t reliably store secrets, that makes sense.
I’m trying to follow the manual steps and can’t get my token to verify either. On my mobile device I login and capture the token, I paste that in jwt.io, then I get my key from /pem (or the jwks url, I have validated they are the same) and paste that in JWT.io and can’t validate the signature.
I feel like I’m doing something completely off base, but all the online documentation seems to point me in this direction. To verify I should be able to
Login on the auth0 form requesting an id token
Extract the idtoken from the request object and paste it into jwt.io
Get the public key either from the dashboard, /pem, or the json returned from .well-known/jwks.json and paste it into jwt.io where the existing public key is and verify?
I am unable to get my token to verify with this method, what am I missing?