Error getting while verifing the okta token from Node.js

[jayendrajatav]

Describe the bug?

Using Okta JWT Verifier package in node.js with nest framework, we are getting error ("Error while resolving signing key for kid "cjCtmAl4jaByzZs5p****************zf6ZAU" ).

we are using const jwt = await oktaJwtVerifier.verifyAccessToken(token,ENV_VALUES.OKTA_CLIENTID); to get the email and claims.

What is expected to happen?

Expected OKTA claims and email after token verification.

What is the actual behavior?

Frontend (Angular):
We receive a token from the Okta using the following configuration syntax.

const okta_prod_config = { issuer: '[xxxxxxx.okta.com/](http://xxxxxxx.okta.com/)', clientId: '**********', redirectUri: window.location.origin + '/login/callback', scopes: ['openid', 'profile', 'email'], testing: { disableHttpsCheck: false } };

After the successful Okta authentication, we pass this token to our server through the API header I.e., Authorization: Token

Backend (NodeJs)
After receiving the token from the API header, we are verifying the token using jwt okta verifier by passing the clientid and the issuer.

const jwt = await oktaJwtVerifier.verifyAccessToken(token,ENV_VALUES.OKTA_CLIENTID);

We are tried pasting the token received from okta in jwt.io and verified the information with that of the information passed in the okta verifier. The information matches. but the code goes to the catch block and throws an error mentioned below in the screenshot

Reproduction Steps?

It happens everytime.

SDK Versions

• jwt-verifier package Version: 2.0.0

• OKTA SDK (Angular):
  "@okta/okta-angular": "^4.1.1",
  "@okta/okta-auth-js": "^5.11.0",

Execution Environment

• Node version (node -v): 13.9.1
• Browser: Chrome
• OS: Windows 10

Additional Information?

No response

[denysoblohin-okta]

What issuer do you specify on creation of OktaJwtVerifier instance?

const oktaJwtVerifier = new OktaJwtVerifier({
  issuer: ?
})

Your error looks like issuer mismatch on Angular and Node.js
Did you try to specify default auth server (http://xxxxxxx.okta.com/oauth2/default) on Angular and Node.js?

[saumyadip1782]

We are facing the same issue as above, Is there any resolve on this .

[denysoblohin-okta]

@saumyadip1782
Could you answer questions above please?
Also what's full text of innerError?
Reason can be setting incorrect issuer. In config provided by @jayendrajatav there is an error: issuer: '[xxxxxxx.okta.com/](http://xxxxxxx.okta.com/)' (looks like markdown link)

[saumyadip1782]

Hear is the error
@denysoblohin-okta
{
"status": 403,
"message": {
"name": "JwtParseError",
"userMessage": "Error while resolving signing key for kid "------ Some Key-------- "",
"message": "Error while resolving signing key for kid "------ Some Key-------- "",
"jwtString": "eyJraWQiOiJXRjVncEt3ZC1jR1JRVVhnYjd2S2hKWmFPcU12QlJtanh3a1VhZjFTc1hFIiwiYWxnIjoiUlMyNTYifQ. ____________ token ________1bTNJZnNXT0kiLCJpc3MiOiJodHRwczovL2Rldi03NTk4NjYzMy5va3RhLmNvbSIsImF1ZCI6Imh0dHBzOi8vZGV2LTc1OTg2NjMzLm9rdGEuY29tIiwic3ViIjoicHJpdGhpcmFqLnJveUBudXZhbmNlaGVhbHRoLm9yZyIsImlhdCI6MTY2MjYyMDU2NSwiZXhwIjoxNjYyNjI0MTY1LCJjaWQiOiIwb2E2YzBibWZvdjBJQm5pOTVkNyIsInVpZCI6IjAwdTViaGZ6bXpYYkc1N0x0NWQ3Iiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCIsImFkZHJlc3MiLCJwaG9uZSJdLCJhdXRoX3RpbWUiOjE2NjI2MTc1MDN9.GQTz8GUCIA6fXQLS4f7NZeX_z4J_R-WGeHImoAdFezKEEfsjUhMU1TSL5pqHSEvxSo_qYYdPYkEEnLIwoIUvxV7fgmHNRTdLn5_wCjx9D1Y5fY059co6ibvSSAg92vykwzkkj5rF-Z42KwoX7truIGd6n59FoCUSphJL8GoLvM-7-8kfp0qLm540UQFHMPb9kQiPRdzAJkhMxuEs08n5Rr21kJMiPwgNjdoqnXAQ14wQexUwMVJk_t1pzvpuK8tAVbh88jFp_zmLfdsDRgkv2LOg6kFS99CTli7jdQV1CHRltsVP3B9CadyQki3wWeCTLUaAXjN2Wkvu4N3_3M9qlg",
"parsedHeader": {
"typ": "JWT",
"alg": "RS256",
"kid": "------ Some Key-------- "
},
"parsedBody": {
"ver": 1,
"jti": "------ Some Key-------- I",
"iss": "https://dev-xxxxxxxx.okta.com",
"aud": "https://dev-xxxxxxxx.okta.com",
"sub": "[email protected]",
"iat": 1662620565,
"exp": 1662624165,
"cid": "0oa6cxxxxxx0IBni95d7",
"uid": "00u5bxxxxxxG57Lt5d7",
"scp": [
"openid",
"profile",
"email",
"address",
"phone"
],
"auth_time": 1662617503
},
"innerError": {
"name": "SigningKeyNotFoundError",
"message": "Unable to find a signing key that matches '------ Some Key-------- '"
}
}
}

[marcelobotega]

Hi, @jayendrajatav and @saumyadip1782 did you fix this problem ?
I'm facing the same issue.

[denysoblohin-okta]

Similar issue: okta/okta-oidc-js#797
Have you tried to configure issuer with /oauth2/default ?

[ArthurWosniaki]

Any updates about that?

I'm using OKTA_ISSUER=${OKTA_DOMAIN}/oauth2/default and OKTA_AUDIENCE=api://default and getting the same error.

[denysoblohin-okta]

@ArthurWosniaki
Don't you have trailing slash in OKTA_DOMAIN?

Could you please set environment variable DEBUG=jwks while reproducing your error and post logs?

[ArthurWosniaki]

@ArthurWosniaki Don't you have trailing slash in OKTA_DOMAIN?

Could you please set environment variable DEBUG=jwks while reproducing your error and post logs?

Sorry, let me be more clear:

.env:

OKTA_ISSUER=https://dev-xxxxxxx.okta.com/oauth2/default
OKTA_AUDIENCE=api://default

server:

import OktaJwtVerifier from '@okta/jwt-verifier'

const issuer = process.env.OKTA_ISSUER as string
const audience = process.env.OKTA_AUDIENCE as string

const oktaJwtVerifier = new OktaJwtVerifier({
  issuer,
}); 


export const createOktaAdminSession: MutationResolvers['createOktaAdminSession'] = async (
  _,
  args,
  context,
) => {

  const { accessToken } = args?.input

 oktaJwtVerifier.verifyAccessToken(accessToken, audience)
  .then(jwt => {
    // the token is valid (per definition of 'valid' above)
    console.log(jwt.claims);
  })
  .catch(err => {
    // a validation failed, inspect the error
    console.log({ err})
  });
}

The accessToken.claims.iss is the same from OKTA_ISSUER and aud is same from OKTA_AUDIENCE.

Where do I add this DEBUG?

Edit: BTW this is a GraphQL server, i'm sending the accessToken in the args through the playground for testing, idk if this matters...

Edit 2: turns out it was a SELF_SIGNED_CERT_IN_CHAIN error when requesting the jwks endpoint... i set NODE_TLS_REJECT_UNAUTHORIZED=0 and it bypassed the problem...

[AnthonyNeo]

Edit 2: turns out it was a SELF_SIGNED_CERT_IN_CHAIN error when requesting the jwks endpoint... i set NODE_TLS_REJECT_UNAUTHORIZED=0 and it bypassed the problem...

1. Allowing self-signed and unauth certs is not ideal.
2. Where was that cert signed? Is it an Okta cert, or was it when generating the token?

I'm running into the same issue, and I'm half a step away from writing my own validation because I can't get this one working, and it buries all the real error messages.

[ArthurWosniaki]

Edit 2: turns out it was a SELF_SIGNED_CERT_IN_CHAIN error when requesting the jwks endpoint... i set NODE_TLS_REJECT_UNAUTHORIZED=0 and it bypassed the problem...

1. Allowing self-signed and unauth certs is not ideal.
2. Where was that cert signed? Is it an Okta cert, or was it when generating the token?

I'm running into the same issue, and I'm half a step away from writing my own validation because I can't get this one working, and it buries all the real error messages.

It's the SSL cert. I was testing local, so i needed to disable the TLS. When i deployed the project to my https dev environment it worked fine without need to disable TLS.

[jensalbrechtiu]

I wanted to add an Information to this topic that I just found out:

Therefore, Okta by design does not provide the public keys used to sign these access tokens.

source

And I tested this, the /v1/keys endpoint does not provide public keys for access-tokens, only for id-tokens. So this library using the jwks endpoint /v1/keys cannot be used to verify access-tokens, only for id-tokens.

Which is kind of confusing because everywhere else it says "if you are trying to protect an API/resource server with OAuth tokens, you should be using Access Tokens instead for auth".

So I guess in case of access-tokens, okta-jwt-verifier-js needs to use the /v1/introspect endpoint to verify the user?

[nathanloyer]

I keep getting this error intermittently with a production application. It's concerning that there seems to be no definitive resolution available.

[ataylorme]

I was able to get this to work with both access token and id token from the ones generated from an Okta SPA app.

Example curl request below. You will need to update MY_OKTA_DOMAIN, TOKEN_HEREand SPA_CLIENT_ID and set token_type_hint to either id_token or access_token

curl -v -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \
"https://MY_OKTA_DOMAIN/oauth2/v1/introspect" \
-d "token=TOKEN_HERE" \
-d "token_type_hint=id_token" \
-d "client_id=SPA_CLIENT_ID" 

I did notice id token returns the groups from the groups claim, which is useful in my case, and access token does not