Home > Back-end >  Azure "JsonWebTokenError: invalid algorithm"
Azure "JsonWebTokenError: invalid algorithm"

Time:03-19

Azure Static Web App (SWA) with integrated API. One of the step at backend API is to validate the Bearer Token with public key submitted in request headers:

const jwt = require("jsonwebtoken");  // v 8.5.1
async function getMSPublicKey(misc)   // misc contains kid and tenantId, confirmed in F12 request header
{
    var vurl = "https://login.microsoftonline.com/"   misc.tenantId   "/v2.0/.well-known/openid-configuration";
    const x1 = await fetch(vurl);
    const x2 = await x1.json();
    const x3 = await fetch(x2.jwks_uri);
    const k = await x3.json();
    return pkey = k.keys.find( k => k.kid === misc.kid).x5c[0];  // public key in the entry matching kid
}

var vmisc = JSON.parse(ac.req.headers["misc"]);
var publickey = "-----BEGIN CERTIFICATE-----\n"   await getMSPublicKey(vmisc)   "\n-----END CERTIFICATE-----";

// next line is reported in AppTraces, Message = JsonWebTokenError: invalid algorithm
var payload = jwt.verify(theToken, publickey, { algorithms: ['RS256'] });
// theToken is validated ok at jwt.io

It only occurs when deployed to Azure cloud, local Azure Static Web Apps emulator is all ok.

Update, Guess this is something about Azure cloud, particularly security. similar result on another package Jose, error only on Azure cloud.

CodePudding user response:

Please check if the below steps help to work around:

Replace the CERTIFICATE keyword with PUBLIC KEY if you're using the public key or PRIVATE KEY if you're using the Private Key or RSA PRIVATE KEY if you are using RSA Private Key.

Also, the problem again occurs in the way we format the Public Key which requires begin and end lines, and line breaks at every 64 characters.

Refer here for more information.

CodePudding user response:

This ought to be painless and work the same with less code on your end, it handles rotation, re-fetching of the public keys, as well as implements a complete applicable JWK selection algorithm for all known JWS algorithms. Also does not depend on a brittle x5c[0] JWK parameter.

const jose = require('jose')

const JWKS = jose.createRemoteJWKSet(new URL(`https://login.microsoftonline.com/${misc.tenantId}/discovery/v2.0/keys`))

// JWKS you keep around for subsequent verifications.

const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS)
  • Related