1

I have a SPA application. Each client request contains an Authorization: Bearer <access_token> retrieved from google https://developers.google.com/identity/protocols/OpenIDConnect (google creates the JWT token)

When authenticating endpoints (graphQL ones by the way) with @jwt_required I got error The specified alg value is not allowed

I tried by tweaking configuration options as state here without luck. (basically setting JWT_ALGORITHM or JWT_PUBLIC_KEY to RS256 but then I get either JWT_PUBLIC_KEY must be set to use asymmetric cryptography algorithm "RS256" or Could not deserialize key data.

Here JWT google shape:

header: 

  "alg": "RS256",
  "kid": "",
  "typ": "JWT"
}

body:

{
  "iss": "https://accounts.google.com",
  "azp": "some.apps.googleusercontent.com",
  "aud": "some.apps.googleusercontent.com",
  "sub": "some_uuid",
  "email": "email@test.com",
  "email_verified": true,
  "at_hash": "",
  "name": "use_full_name",
  "picture": "https://lh3.googleusercontent.com/a-/some",
  "given_name": "user_name",
  "family_name": "last_name",
  "locale": "en",
  "iat": 1572189191,
  "exp": 1572192791
}

any help appreciated! (keep trying though)

Vicens Fayos
  • 740
  • 1
  • 5
  • 18
  • Did you set `JWT_PUBLIC_KEY` to the public key the JWTs were signed with? – Klaus D. Oct 28 '19 at 09:26
  • Hi @KlausD. thanks for your quick answer! How I can find the public Key the google JWT token was signed with? I tried with `kid` key or with `kid` values from `https://www.googleapis.com/oauth2/v3/certs` currently I set `app.config['JWT_ALGORITHM'] = 'RS256'` and app.config['JWT_PUBLIC_KEY'] = `{kid}` error: `Could not deserialize key data.` – Vicens Fayos Oct 28 '19 at 11:42
  • 2
    How did you solve the problem? @VicensFayos – Asif Ali Jan 07 '21 at 19:26

0 Answers0