441642 (2) [Avatar] Offline
#1
Hi

I was attempting to implement the user-profile from chapter 5 and it just does not work.After running the Lambda function i get this:

Failed jwt verification: { [JsonWebTokenError: invalid signature] name: 'JsonWebTokenError', message: 'invalid signature' } auth: Bearer

and

2017-01-25T00:57:31.287Z 3f67a758-e299-11e6-a424-e1f21707f576
{
"errorMessage": "Authorization Failed"
}


after looking at the script, it appears to be decoding base 64 and some more digging around I found that Auth0 does not use base64 encoding for client secret keys generated anymore (after Dec 6 2016).. Here is the thread.

https://auth0.com/forum/t/client-secret-stored-without-base64-encoding/4338


Is that correct? if so could you please post updated code

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Update: Changing this line from using base64 to utf8 worked for me in both user-profile and customer-authorizer Lambda functions. Hope this helps someone else.

var secretBuffer = new Buffer(env.AUTH0_SECRET, 'utf8');


439922 (1) [Avatar] Offline
#2
Thank you! It works for me!
Peter Sbarski (18) [Avatar] Offline
#3
Hi 441642, you are completely correct and thank you! We've made a modification in the latest MEAP to account for this change in Auth0.

Cheers,
Peter
Rails4G (19) [Avatar] Offline
#4
Using latest book release getting same error
var secretBuffer = new Buffer(process.env.AUTH0_SECRET);

Invalid signature on verify.

Tried variations but same error:

var secretBuffer = new Buffer(process.env.AUTH0_SECRET, 'utf8');
var secretBuffer = new Buffer(process.env.AUTH0_SECRET, 'base64');
Rails4G (19) [Avatar] Offline
#5
it's working
Issue was:

1. Old 2016 secret key was base64 encoded.
2. New secret created but API wouldn't work, even after updating config.js. Deleted API and recreated...works.
Peter Sbarski (18) [Avatar] Offline
#6
Hi Rails4G, nice work on solving the issue. Thank you for posting it here too. I am sure it will come in useful for other readers too!

Thanks,
Peter
74050 (1) [Avatar] Offline
#7
I had some trouble with this too. I fixed it by going to my client > Settings > Show Advanced Settings > OAuth > Set "JsonWebToken Signature Algorithm" to HS256 (it was RS256 by default)

I tested this a couple of times toggling "JsonWebToken Signature Algorithm", closing the brower, re-logging into incognito mode and trying to access my profile. HS256 worked and RS256 didn't.

You can click the ? next to "JsonWebToken Signature Algorithm" and it shows more so maybe RS256 works as long as you do some other configuration.
349252 (1) [Avatar] Offline
#8
74050 wrote:I had some trouble with this too. I fixed it by going to my client > Settings > Show Advanced Settings > OAuth > Set "JsonWebToken Signature Algorithm" to HS256 (it was RS256 by default)

I tested this a couple of times toggling "JsonWebToken Signature Algorithm", closing the brower, re-logging into incognito mode and trying to access my profile. HS256 worked and RS256 didn't.

You can click the ? next to "JsonWebToken Signature Algorithm" and it shows more so maybe RS256 works as long as you do some other configuration.


Brilliant - thanks I was getting invalid algorithm error - changing the settings as you described; fixed it - many thanks
slecuona (1) [Avatar] Offline
#9
74050 wrote:I had some trouble with this too. I fixed it by going to my client > Settings > Show Advanced Settings > OAuth > Set "JsonWebToken Signature Algorithm" to HS256 (it was RS256 by default)

I tested this a couple of times toggling "JsonWebToken Signature Algorithm", closing the brower, re-logging into incognito mode and trying to access my profile. HS256 worked and RS256 didn't.

You can click the ? next to "JsonWebToken Signature Algorithm" and it shows more so maybe RS256 works as long as you do some other configuration.


I was going crazy until I got to this post. Your solution has worked for me! Thanks!