Login/Register
UnauthorizedError: invalid algorithm express-jwt
Asked Answered
Solved node.jsauth0json-web-tokenexpress-jwt
V

4

19

I am displaying some data on my website which returns from node server. It's works perfectly until today. Now I am getting below error on my server console when I go to my web page. I use Auth0 for signin in users.

UnauthorizedError: invalid algorithm
    at C:\workspace\New\MyApp\node_modules\express-jwt\lib\index.js:100:22
    at C:\workspace\New\MyApp\node_modules\express-jwt\node_modules\jsonwebtoken\index.js:155:18
    at nextTickCallbackWith0Args (node.js:420:9)
    at process._tickCallback (node.js:349:13)

What could be the issue?

Venola answered 5/10, 2016 at 13:2 Comment(0)
S
11

I had the same problem. I use Auth0 for signin in users. You have to check the algorithm type.

If you're using Auth0 then go to

Client -> Settings -> Advanced Settings -> OAuth

and check the algorithm type. It has to be HS256.

If you're not using Auth0 then check the algorithm type also.

Sweetmeat answered 6/10, 2016 at 1:39 Comment(0)
D
21

HS256 is less secure because it is symmetric, (the same secret is shared between the client and server). See this question: RS256 vs HS256: What's the difference?

You can maintain RS256 by using the node-jwks-rsa module to retrieve the signing key:

import jwt from 'express-jwt'
import jwksRsa from 'jwks-rsa'

const secret = jwksRsa.expressJwtSecret({
  cache: true,
  rateLimit: true,
  jwksRequestsPerMinute: 5,
  jwksUri: 'https://<YOUR_AUTH0_DOMAIN>/.well-known/jwks.json',
})

const jwtCheck = jwt({
  secret: secret,
  audience: <YOUR_AUTH0_AUDIENCE_OR_CLIENT_ID>,
  issuer: 'https://<YOUR_AUTH0_DOMAIN>/',
  algorithms: ['RS256'],
})

app.use(jwtCheck)
Deus answered 24/8, 2017 at 4:50 Comment(0)
S
11

I had the same problem. I use Auth0 for signin in users. You have to check the algorithm type.

If you're using Auth0 then go to

Client -> Settings -> Advanced Settings -> OAuth

and check the algorithm type. It has to be HS256.

If you're not using Auth0 then check the algorithm type also.

Sweetmeat answered 6/10, 2016 at 1:39 Comment(0)
F
8

Use this

expressJwt({
  secret: process.env.JWT_SECRET,
  algorithms: ['sha1', 'RS256', 'HS256'],
})
Frowsy answered 25/10, 2020 at 7:24 Comment(1)
Why would this help?Rademacher
C
2

Use the code below in your expressJwt param():

algorithms: ['sha1', 'RS256', 'HS256'],   


Copy the algorithms and change/paste it on your function this methods helps me in postman, paw, robo 3t
Creel answered 4/1, 2021 at 13:17 Comment(1)
that's basically the same answer as this one, and doesn't add anything new but raises the same question: Why would this help?Daffi

© 2022 - 2024 — McMap. All rights reserved.