3

I'm trying to I'm trying to verify a jwt that use the RS256 algorithm. When using the hs256 algorithm everything works fine

let opts = {
  audience: 'y',
  issuer: `https://x.auth0.com/`,
  algorithms: ["RS256"]
}

jwt.verify(payload.token, 'secret', opts, (err, decoded) => {
    if (err) {
        console.log("invalid token in iamonline service " + err.message);
        return;
    }

I keep getting the error: PEM_read_bio_PUBKEY failed

While auth0 has documentation to do so, it assumes you are using express which I'm not. I am doing this over a websocket so no middleware.

The annoying bit is that HS256 is fine for me but auth0 custom login forms seem to require RS256.

Ced
  • 15,847
  • 14
  • 87
  • 146

1 Answers1

13

RS256 needs a public key to verify, but you are providing an string

jwt.verify(payload.token, 'secret', opts, (err, decoded) => {

See documentation of auth0

jwt.verify(token, secretOrPublicKey, [options, callback])

token is the JsonWebToken string

secretOrPublicKey is a string or buffer containing either the secret for HMAC algorithms, or the PEM encoded public key for RSA and ECDSA.

You need to provide a PEM public key instead of secret. The PEM file content will start with -----BEGIN PUBLIC KEY-----

var publicKey = fs.readFileSync('public.pem');
Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142