UnauthorizedError: invalid algorithm express-jwt

Bishan picture Bishan · Oct 5, 2016 · Viewed 8k times · Source

I am displaying some data on my website which returns from node server. It's works perfectly until today. Now I am getting below error on my server console when I go to my web page. I use Auth0 for signin in users.

UnauthorizedError: invalid algorithm
    at C:\workspace\New\MyApp\node_modules\express-jwt\lib\index.js:100:22
    at C:\workspace\New\MyApp\node_modules\express-jwt\node_modules\jsonwebtoken\index.js:155:18
    at nextTickCallbackWith0Args (node.js:420:9)
    at process._tickCallback (node.js:349:13)

What could be the issue?

Answer

Danny Sullivan picture Danny Sullivan · Aug 24, 2017

HS256 is less secure because it is symmetric, (the same secret is shared between the client and server). See this question: RS256 vs HS256: What's the difference?

You can maintain RS256 by using the node-jwks-rsa module to retrieve the signing key:

import jwt from 'express-jwt'
import jwksRsa from 'jwks-rsa'

const secret = jwksRsa.expressJwtSecret({
  cache: true,
  rateLimit: true,
  jwksRequestsPerMinute: 5,
  jwksUri: 'https://<YOUR_AUTH0_DOMAIN>/.well-known/jwks.json',
})

const jwtCheck = jwt({
  secret: secret,
  audience: <YOUR_AUTH0_AUDIENCE_OR_CLIENT_ID>,
  issuer: 'https://<YOUR_AUTH0_DOMAIN>/',
  algorithms: ['RS256'],
})

app.use(jwtCheck)