Verify a RS256 jwt on node PEM_read_bio_PUBKEY failed

Question

I'm trying to I'm trying to verify a jwt that use the RS256 algorithm. When using the hs256 algorithm everything works fine

let opts = {
  audience: 'y',
  issuer: `https://x.auth0.com/`,
  algorithms: ["RS256"]
}

jwt.verify(payload.token, 'secret', opts, (err, decoded) => {
    if (err) {
        console.log("invalid token in iamonline service " + err.message);
        return;
    }

I keep getting the error: PEM_read_bio_PUBKEY failed

While auth0 has documentation to do so, it assumes you are using express which I'm not. I am doing this over a websocket so no middleware.

The annoying bit is that HS256 is fine for me but auth0 custom login forms seem to require RS256.

score 13 · Accepted Answer · edited Jun 20 '20 at 09:12

13

RS256 needs a public key to verify, but you are providing an string

jwt.verify(payload.token, 'secret', opts, (err, decoded) => {

See documentation of auth0

jwt.verify(token, secretOrPublicKey, [options, callback])

token is the JsonWebToken string

secretOrPublicKey is a string or buffer containing either the secret for HMAC algorithms, or the PEM encoded public key for RSA and ECDSA.

You need to provide a PEM public key instead of secret. The PEM file content will start with -----BEGIN PUBLIC KEY-----

var publicKey = fs.readFileSync('public.pem');

edited Jun 20 '20 at 09:12

Community

1
1

answered Mar 20 '17 at 20:44

pedrofb

37,271
5
94
142

5

Yay, thanks! To add to this, in auth0 the file can be found in clients > advanced settings > certificates – Ced Mar 20 '17 at 22:21
Thanks Ced, that was really helpful – Daniel Khoroshko Sep 01 '17 at 07:56

Verify a RS256 jwt on node PEM_read_bio_PUBKEY failed

1 Answers1