Search code examples
node.jsazurejwttokenazure-authentication

Azure "JsonWebTokenError: invalid algorithm"

Azure Static Web App (SWA) with integrated API. One of the step at backend API is to validate the Bearer Token with public key submitted in request headers:

const jwt = require("jsonwebtoken");  // v 8.5.1
async function getMSPublicKey(misc)   // misc contains kid and tenantId, confirmed in F12 request header
{
    var vurl = "https://login.microsoftonline.com/" + misc.tenantId + "/v2.0/.well-known/openid-configuration";
    const x1 = await fetch(vurl);
    const x2 = await x1.json();
    const x3 = await fetch(x2.jwks_uri);
    const k = await x3.json();
    return pkey = k.keys.find( k => k.kid === misc.kid).x5c[0];  // public key in the entry matching kid
}

var vmisc = JSON.parse(ac.req.headers["misc"]);
var publickey = "-----BEGIN CERTIFICATE-----\n" + await getMSPublicKey(vmisc) + "\n-----END CERTIFICATE-----";

// next line is reported in AppTraces, Message = JsonWebTokenError: invalid algorithm
var payload = jwt.verify(theToken, publickey, { algorithms: ['RS256'] });
// theToken is validated ok at jwt.io

It only occurs when deployed to Azure cloud, local Azure Static Web Apps emulator is all ok.

Update, Guess this is something about Azure cloud, particularly security. similar result on another package Jose, error only on Azure cloud.

Update: found culprit My original code was sending the token in under Authorization name. Azure log shows its read-in length is always 372 vs. 1239 tested in local emulator. After renaming it to something else like mytoken, all good! This is undocumented, reminder to everyone: avoid sensitive/reserved words.

Solution

  • This ought to be painless and work the same with less code on your end, it handles rotation, re-fetching of the public keys, as well as implements a complete applicable JWK selection algorithm for all known JWS algorithms. Also does not depend on a brittle x5c[0] JWK parameter.

    const jose = require('jose')

const JWKS = jose.createRemoteJWKSet(new URL(`https://login.microsoftonline.com/${misc.tenantId}/discovery/v2.0/keys`))

// JWKS you keep around for subsequent verifications.

const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS)