Flask JWT Extended "The specified alg value is not allowed" Error

Question

When making a request to a flask route that requires a JWT to access using (@jwt_required decorator on flask-restful resources), I get a 422 UNPROCESSABLE ENTITY with the message: The specified alg value is not allowed.

When logging in and navigating to the (frontend) route that calls the request:

this.axios.get("/jobs").then(res => {
      console.log(res.data);
      this.jobs = res.data.jobs;
    });

in the same go, it works as expected, however on refresh it then shows the 422 error. I store the token in localstorage and load it into axios headers like so:

const api = {
  init: function() {
    Vue.use(VueAxios, axios);
    Vue.axios.defaults.baseURL = DEV_URL;
  },

  setHeader: function() {
    const token = `Bearer ${getToken()}`;
    Vue.axios.defaults.headers.common["Authorization"] = token;
  },
};

and call init() and setHeader() in my main.js so I am confused why this is causing an error only after a refresh.

I haven't be able to find any resources on how to remedy the The specified alg value is not allowed error. Any assistance would be appreciated! :)

Answer 1

This can happen if the token was created using a different algorithm then app.config['JWT_ALGORITHM']

Answer 2

I ran into same problem when the JWT token was created in my spring boot auth service but resource service was a flask micro service. I tried the following steps to sort it out,

• I pasted the token in jwt.io Debugger.
• On the right hand side I found the decoded header where the alg value was the following,

    {
      "alg": "HS512"
    }

• I put the alg in the app config in the flask resource server as follows,

    app.config['JWT_ALGORITHM'] = 'HS512'

After that the error message was gone and I was able to parse information from the decoded token. So you need to find the algorithm by which the token was generated and set the appropriate algorithm in the flask app.config.