I have a SPA application. Each client request contains an Authorization: Bearer <access_token> retrieved from google https://developers.google.com/identity/protocols/OpenIDConnect (google creates the JWT token)
When authenticating endpoints (graphQL ones by the way) with @jwt_required I got error The specified alg value is not allowed
I tried by tweaking configuration options as state here without luck. (basically setting JWT_ALGORITHM or JWT_PUBLIC_KEY to RS256 but then I get either JWT_PUBLIC_KEY must be set to use asymmetric cryptography algorithm "RS256" or Could not deserialize key data.
Here JWT google shape:
header:
"alg": "RS256",
"kid": "",
"typ": "JWT"
}
body:
{
"iss": "https://accounts.google.com",
"azp": "some.apps.googleusercontent.com",
"aud": "some.apps.googleusercontent.com",
"sub": "some_uuid",
"email": "[email protected]",
"email_verified": true,
"at_hash": "",
"name": "use_full_name",
"picture": "https://lh3.googleusercontent.com/a-/some",
"given_name": "user_name",
"family_name": "last_name",
"locale": "en",
"iat": 1572189191,
"exp": 1572192791
}
any help appreciated! (keep trying though)