0

When making a request to a flask route that requires a JWT to access using (@jwt_required decorator on flask-restful resources), I get a 422 UNPROCESSABLE ENTITY with the message: The specified alg value is not allowed.

When logging in and navigating to the (frontend) route that calls the request:

this.axios.get("/jobs").then(res => {
      console.log(res.data);
      this.jobs = res.data.jobs;
    });

in the same go, it works as expected, however on refresh it then shows the 422 error. I store the token in localstorage and load it into axios headers like so:

const api = {
  init: function() {
    Vue.use(VueAxios, axios);
    Vue.axios.defaults.baseURL = DEV_URL;
  },

  setHeader: function() {
    const token = `Bearer ${getToken()}`;
    Vue.axios.defaults.headers.common["Authorization"] = token;
  },
};

and call init() and setHeader() in my main.js so I am confused why this is causing an error only after a refresh.

I haven't be able to find any resources on how to remedy the The specified alg value is not allowed error. Any assistance would be appreciated! :)

TomHill
  • 614
  • 1
  • 10
  • 26
  • Can you show us how you generate the token? The algorithm used by the `jwt` is stored in [the header](https://jwt.io/introduction/) - you can set the algorithm `jwt-extended` uses in the [config options](https://flask-jwt-extended.readthedocs.io/en/stable/options.html). On of the tests in the `jwt-extended` [git repo](https://github.com/vimalloc/flask-jwt-extended/blob/master/tests/test_asymmetric_crypto.py) shows how a difference in algorithm can give that error you're getting. – elembie Oct 23 '19 at 02:54
  • @elembie thanks for the response. I've been following the basic usage in the docs. The only config options I set were `JWT_SECRET_KEY`, `JWT_BLACKLIST_ENABLED` and `JWT_BLACKLIST_TOKEN_CHECKS`. I didn't change from the default algorithm. The token was generated by: `access_token = create_access_token(identity=data["username"])`. – TomHill Oct 23 '19 at 04:20
  • I've also just tried changing `JWT_ALGORITHM` to `RS256` and set private and public keys and still have the same issue – TomHill Oct 23 '19 at 04:34
  • Have you validated that the token is being retrieved properly from the secure store? I'm just thinking the `jwt` might have been modified somehow - maybe print it out on the server and on the client and check it's not changed. – elembie Oct 23 '19 at 04:34

2 Answers2

1

I ran into same problem when the JWT token was created in my spring boot auth service but resource service was a flask micro service. I tried the following steps to sort it out,

  • I pasted the token in jwt.io Debugger.
  • On the right hand side I found the decoded header where the alg value was the following,
    {
      "alg": "HS512"
    }
  • I put the alg in the app config in the flask resource server as follows,
    app.config['JWT_ALGORITHM'] = 'HS512'

After that the error message was gone and I was able to parse information from the decoded token. So you need to find the algorithm by which the token was generated and set the appropriate algorithm in the flask app.config.

Roaim
  • 2,298
  • 2
  • 11
  • 23
-1

This can happen if the token was created using a different algorithm then app.config['JWT_ALGORITHM']

vimalloc
  • 3,869
  • 4
  • 32
  • 45