Verification of RS256-encoded JWT does not work with Node 18

[hrueger]

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Description

Provide a clear and concise description of the issue, including what you expected to happen.
I'm trying to verify a JWT created by Keycloak. It uses the RS256 algorithm. That works with Node 16, but not with Node 18. I get the following error:

error:1E08010C:DECODER routines::unsupported

This is probably due to the version bump of OpenSSL in Node (Node 16 uses openssl: '1.1.1q+quic' while 18 shows openssl: '3.0.5+quic'.

See here: openssl/openssl#17378 Apparently, it's a feature not a bug...

Reproduction

console.log(jwt.verify(myJWT, myKey, {algorithms: ["RS256"]}));

Environment

Please provide the following:

• Version of this library used: 8.5.1
• Version of the platform or framework used, if applicable: -
• Other relevant versions (language, server software, OS, browser): Node 16 / 10, Windows 10
• Other modules/plugins/libraries that might be involved: OpenSSL included in Node

[sghoe]

Thank you for sharing this issue, did you find a way around?

[hrueger]

No, unfortunately not. I had to switch back to using node 16 for now.

[hrueger]

It seems like we need to add the following .env variable:

NODE_OPTIONS=--openssl-legacy-provider 

Reference: https://stackoverflow.com/questions/69962209/what-is-openssl-legacy-provider-in-node-js-v17
nodejs/node#40455