Verify JWT Auth0

[michieldewilde]

When verifying the JSON Web Token the secret has to be passed as a Base64 encoded string.

jwt.verify(token, new Buffer(AUTH0_CLIENT_SECRET, 'base64'));

But since december 2016 Auth0 no longer stores client Secret with Base64 encoding (https://auth0.com/forum/t/client-secret-stored-without-base64-encoding).
So the JSON Web Token can be passed as string without being encoded.

jwt.verify(token, AUTH0_CLIENT_SECRET);

[andreafalzetti]

Thanks @michieldewilde for opening the issue. I was struggling for a couple of days to understand what the issue was. From CloudWatch I was getting the following error:

{
    "errorMessage": "Unauthorized JsonWebTokenError: invalid signature"
}

HTTP Response Headers:

Connection →keep-alive
Content-Length →16
Content-Type →application/json
Date →Wed, 01 Feb 2017 21:53:58 GMT
Via →1.1 ***.cloudfront.net (CloudFront)
X-Amz-Cf-Id →****==
X-Cache →Error from cloudfront
x-amzn-ErrorType →AuthorizerConfigurationException
x-amzn-RequestId →***

I've submitted a PR to fix this.
#69

Andrea

[rsweetland]

@andreafalzetti I was struggling with this as well. Applying the changes in your PR fixed the issue. Thank you!

[DavidWells]

Interesting thanks for the link.

I'm wondering why the live demo works http://auth0-serverless-protected-routes-demo.surge.sh/ ?

Did this demo code not work for you guys or are you implementing in a different way?

[DavidWells]

It might actually be due to the lambda type https://github.com/serverless/examples/blob/master/aws-node-auth0-custom-authorizers-api/serverless.yml#L17

Are you using lambda-proxy ?

[rsweetland]

The live-demo worked for me. The demo code did not.

Once I removed base64 encoding on on the AUTH0_CLIENT_SECRET on this line the demo code worked as expected.

I wonder if the live demo was configured with different version of the Auth0 api?

I didn't try lambda-proxy

[DavidWells]

Lambda-proxy is the default, if nothing is specified.

…

On Feb 3, 2017, at 10:41 AM, Reilly Sweetland ***@***.***> wrote: The live-demo worked for me. The demo code did not. Once I removed base64 encoding on on the AUTH0_CLIENT_SECRET on this line the demo code worked as expected. I wonder if the live demo was configured with different version of the Auth0 api? I didn't try lambda-proxy — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[rsweetland]

Ah. Guess I did try it then : )

[Molnfront]

I think it's Auth0, they have it backward compatible with old accounts, but if you use a new account you have to use without Base64.

[andreafalzetti]

I think @Molnfront is correct - As @rsweetland said, the demo works but the demo code didn't.

[DavidWells]

Merged in the update. Many thanks for bringing this to my attention!