JWT-verifier -> [JwtParseError: Unexpected signature algorithm]

[Pixelatex]

I'm submitting this issue for the package(s):

• [*] jwt-verifier
• oidc-middleware

I'm submitting a:

• Other (Describe below)
  I'm receiving an error back but can't find any information on how to resolve it.

Current behavior

A user has an okta accesstoken used in my application that gets sent as a header to my backend API.
In the backend I run the jwt-verifier nodeJS package to ensure that the person accessing the API is actually authorised to do so.
This verify should return wether or not the token is valid.

Expected behavior

The verify function errors out and gives me the [JwtParseError: Unexpected signature algorithm] error.

Minimal reproduction of the problem with instructions

Below is my verify setup.

import OktaJwtVerifier from '@okta/jwt-verifier'
const oktaJwtVerifier = new OktaJwtVerifier({
  issuer: "https://****.okta.com/oauth2"
})
 oktaJwtVerifier
      .verifyAccessToken(accessToken, 'api://default')
      .then((jwt) => {
        // the token is valid (per definition of 'valid' above)
        console.log(jwt.claims)
      })
      .catch((err) => {
        // a validation failed, inspect the error
        console.log(err, 'err auth')
        return res.status(401).send('Not allowed')
      })

Environment

• Package Version: ^2.1.0
• Browser: chrome
• OS: mac osx
• Node version (node -v): v15.14.0
• Other:

[denysoblohin-okta]

Thanks for submitting this issue.
What alg value is in the header of access token? (You can parse JWT here for example)
The only supported alg in jwt-verifier is RS256

[Pixelatex]

aha mine is:

{
  "alg": "HS512"
}

[Pixelatex]

I used https://mkjwk.org/ to generate a token as RS256 but now they keep coming back as signature invalid in jwt.io.

Example jwt:

eyJraWQiOiJpcnE0SHduaFlFNzBBZ3BJZ3FvNDVHUVFZMkk0TjRBNUkxVVpkdHE2Q0p3IiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnhQejBrdjM2OTNhZUpHSUZfWUtrTVZCdmE5ZjhjR0hTV0RWN1BWbXlIQWciLCJpc3MiOiJodHRwczovL2JvdGhycy5va3RhLmNvbSIsImF1ZCI6Imh0dHBzOi8vYm90aHJzLm9rdGEuY29tIiwic3ViIjoiZXdhcmRAYm90aHJzLmNvbSIsImlhdCI6MTYyMDc0NjEyMiwiZXhwIjoxNjIwNzQ5NzIyLCJjaWQiOiIwb2FvMW8yNzJ3WDB5T0YyMjVkNiIsInVpZCI6IjAwdW54MjM3dXVIZnlOQVVzNWQ2Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCIsImdyb3VwcyJdfQ.DhhTXtk9V3aMwg5gXng6oLztVEk6bLR6lAT8uzgeEB50_9fvtdntuua64mFhZzfqRBDH0sb4WAxUIHu-TeulSxn1LfcwTz43FdnHHm_FEAfNMCjXhp3Nnp2P9zToMruGG0gVNvMjeR-j1EU4XU6VW8lRDoTCeb8z1NJlBkqHFaOyjOjngal1caINfLyzf9VzUQnnmadHgo-hfBZQmU281SFFSSrMoj9mmrlAM_az7d2NLxabqRHNjvFuPQ1SeskUVhFm0SDMUJlrmjeVWbjX7FdIdUZeuPj2INfXhHKoPXR8zuZziyh93KNso1lBdRwK-p5SSXBdtmCTGUVmGT3xWg

[Pixelatex]

@denysoblohin-okta

straight from the okta documentation:

algorithm(dropdown): Okta Workflows supports the following types of JWT encryption:

HS256 (default)

HS384

HS512

RS256

RS384

RS512

ES256

ES384

ES512

PS265

PS384

PS512

Then why is only RS256 supported?

[denysoblohin-okta]

In jwt-verifier code RS256 is set here:

okta-oidc-js/packages/jwt-verifier/lib.js

Line 140 in 40fe1da

this.verifier = nJwt.createVerifier().setSigningAlgorithm('RS256').withKeyResolver((kid, cb) => {

@aarongranick-okta Can we improve this in njwt and jwt-verifier to allow different signing algorithms?

[Pixelatex]

Especially because HS256 is the default setting here :/