search

okta / okta-oidc-js

okta-oidc-js
https://github.com/okta/okta-oidc-js
Other
395 stars 232 forks source link

a way to verify using a pem ? #1029

Open walshe opened 3 years ago

walshe commented 3 years ago

I usually verify a jwt using a pem (jwt.verify(token, pem, { algorithms: [completeDecodedToken.header.alg] });) calculated by using kid in header and using that to find correct jwk which can be used to create a pem... but the verify() in your lib needs an audience(s) in the second param

const completeDecodedToken = jwtJsDecode.jwtDecode(token);

  console.log("decoded token", completeDecodedToken);

  if(!completeDecodedToken){
    throw new Error(`Could not decode JWT: ${token}`);
  }

  // decode token and use kid to find correct jwk
  const jwk = keys.filter(jwk => jwk.kid == completeDecodedToken.header.kid)

  // verify the token
  if(!jwk.length){
    throw new Error(`Could not find matching jwk for kid ${completeDecodedToken.header.kid}`);
  }

  //use kid to create a pem (https://serverfault.com/questions/9708/what-is-a-pem-file-and-how-does-it-differ-from-other-openssl-generated-key-file)
  const pem = jwkToPem(jwk[0]);

  console.log('verifying token using pem..')

  try{
    const jwt = require('jsonwebtoken'); // for seom reason this wont work with okta tokens 
    jwt.verify(token, pem, { algorithms: [completeDecodedToken.header.alg] });
  }catch(err){

    console.warn('token verification failed', err.message, err.name);
    context.fail("Unauthorized");
    return;
  }
arvindkrishnakumar-okta commented 3 years ago

@walshe Thanks for raising this!

@shuowu-okta @denysoblohin-okta can you address this question?