JWT Signature Verification Failed

[jackmerrill]

Hi there! I'm using JWT for my authentication method here, and I have the Next-Auth JWT settings set correctly, with both the signingKey and secret, and it should all be valid.

[...nextauth].tsx

  jwt: {
    signingKey: '{"kty":"oct","kid":"...","alg":"HS512","k":"..."}',
    secret: process.env.JWT_TOKEN,
  },

index.tsx

// getServerSideProps
  const r = req as NextApiRequest;
  const raw = await jwt.getToken({ req: r, raw: true });
  const token = await jwt.decode({
    token: raw,
    secret: process.env.JWT_TOKEN,
  }) as JWTSession;

  if (!token || token === null) {
    return {
      redirect: {
        permanent: false,
        destination: '/auth/login',
      },
    };
  }

Any help to fix this issue is appreciated, as well as any better methods I should be using.

Thanks!

[StefanSelfTaught]

jwt.getToken() can decode the token for you. If you specified a signingKey you probably want to also add an encryptionKey and you should also pass the keys or any other options that you have in your jwt settings.

const token = await jwt.getToken({ req, secret: process.env.JWT_TOKEN, encryptionKey: 'key', signingKey: 'key' })

[iaincollins]

Thanks @StefanSelfTaught this is exactly correct!

How to use keys isn't super well documented to well done both of you for figuring out those options at all! :-)

Obviously this is cumbersome so folks may want to create their own "getToken()" function which is a wrapper for the NextAuth.js method, to make it easier to use in a project. (It would be great to have a tutorial to help show how to do this.)

Needing to pass the same arguments to getToken() (e.g. for keys or custom encode/decode functions) trips a lot of folks up. It's not ideal but it's challenging to solve in a better away, especially with limitations on different environments in mind, but I would like to try and make this less of a "gotcha" in future.

Ultimately having some sort of centralised config would be ideal, but there are some security and environment compatibility challenges there (eg for different serverless platforms) but is something I would like to look at in the future.

[jackmerrill]

Yup thank you! This worked.

[Fronix]

This was exactly what was going wrong for me, thank you for answering this!
I have my own encode/decode functions, but I couldn't for my life figure out why the default decode function was being used... This explains it :)