issuer url and authentication endpoint

[mathewmeconry]

I'm submitting this issue for the package(s):

• jwt-verifier
• okta-angular
• oidc-middleware
• okta-react
• okta-react-native
• okta-vue

I'm submitting a:

• Bug report
• Feature request
• Other (Describe below)

Current behavior

the packages @okta/okta-react and @okta/jwt-verifier uses different base urls for issuing and verifing a token.

Expected behavior

jwt-verifier finds the correct key with the same issuer

Minimal reproduction of the problem with instructions

given the following config to @okta/okta-react the login process works as expected:

<Security
          issuer="https://myissuer.okta.com/"
          client_id="superClientID"
          redirect_uri={window.location.origin + '/implicit/callback'}
        >

but the verifcation of the token with @okta/jwt-verfier doesn't work because of either the issuer doesn't match or the key couldn't be found

config of jwt-verifier for not matching issuer:

const verifier = new oktaJwtVerifier({
issuer: 'https://myissuer.okta.com/oauth2'
});

const jwt = await verifier.verifyAccessToken(token, 'superClientID');

config of jwt-verifier for not finding the key:

const verifier = new oktaJwtVerifier({
issuer: 'https://myissuer.okta.com/'
});

const jwt = await verifier.verifyAccessToken(token, 'superClientID');

Environment

• Package Version: @okta/jwt-verifier: 1.0.0 / @okta/okta-react: 1.2.0
• Browser: Chrome
• OS: Fedora 30
• Node version (node -v): v11.15.0

[djriffel]

This is also an issue when using the package @okta/okta-vue

I had a working codebase running on an older version, and it seems that this was broken from the last commit (9d76c9f) for jwt-verifier/lib.js

Prior to this commit, the library didn't even verify the issuer, so although you'd have to use different paths for the two libraries to make both the jwksUri (server) and the .well-known (client) paths work, the fetching and verifying would at least still work fine between the two libraries.

A temporary fix

For anyone interested, you can pin your dependency to version 0.0.16 (this is the version just prior to v1). This version requires a clientId parameter to match against the incoming JWT, however, which is not present in v1. To remove this requirement you'd have to roll back to v0.0.12 (I haven't looked into what this roll-back would entail missing out on, however. Running such an old version might not be advisable).

[mraible]

If you use your Okta domain with /oauth2/default as the issuer, everything should work in your frontend and your backend. If you use the org authorization server, http://{yourOktaDomain}, then you will not be able to validate tokens.

[swiftone]

Additional documentation on the various auth server values that can decide what to store as the Issuer can be found here: https://developer.okta.com/docs/concepts/auth-servers/

[radicand]

Why not have the verifier look up the values from .well-known/openid-configuration? If using the org auth server, this file can be referenced and contains the right path for the jwks URI.

[swiftone]

@radicand - A great insight! We're already reviewing our SDKs to see where it makes sense to pull that information from .well-known.

[swiftone]

Internal ref: OKTA-286876

[denysoblohin-okta]

Current documentation and examples for jwt-verifier and okta-react are consistent with issuer. It contains /ouath2/default.

mraible's comment is correct:

If you use your Okta domain with /oauth2/default as the issuer, everything should work in your frontend and your backend. If you use the org authorization server, http://{yourOktaDomain}, then you will not be able to validate tokens.

Feel free to reopen if you still find more inconsistencies with issuer