Open jianwu-github opened 5 years ago
I'm also running into this - does anyone know if the API Access Management license is required to use this library, or is there a workaround?
Hi Ben,
It looks like that we are in the same boat:-), from what I knew, there are two ways to solve this problem for now:
Your Okta Auth Server need have an extra paid component: Custom Authorization Server to support JWTVerifier, you can find the difference between general Okta Auth Server and Okta Custom Authorization Server in this Okta Support Doc
Implemented a simple JWTVerifier by yourself using existing introspect endpoint available from general Okta Auth Server. This is not a best solution but is doable especially if you are building an internal app which is not heavily loaded
Hope this info would be helpful and Thanks,
Jian
@okta/jwt-verifier
currently only verifies tokens from Okta Custom Authorization Servers, which does require API Access Management. If you are using Okta Org Authorization Servers (which don’t require API Access Management) you can manually validate against the /introspect endpoint ( https://developer.okta.com/docs/reference/api/oidc/#introspect ).
We’re in the process of updating the README to reflect this, and are considering the best way to offer more convenient access to the information this call returns.
I can add some more background here: Okta has two different types of authorization servers that issue tokens, used for two different types of integrations:
(More documentation here: https://developer.okta.com/docs/reference/api/oidc/#composing-your-base-url)
Our JWT verifier packages were built to help with (2), which is why they run into problems with tokens issued by the Okta Org Authorization Server. It's not possible to validate tokens from (1) using JWT validation code; as @swiftone said, you can only validate them by POSTing them to the /introspect
endpoint.
The difference between these use cases isn't well-defined in our docs, which can lead to this confusion. Sorry about that! We plan to investigate soon how best to enhance these packages so they're useful for both scenarios.
It's really confusing misleading that the Okta developer console supports this paid feature out of the box. Developers read through tons of code and documentation to get a working POC against the developer console, only to find -- after some additional wheel spinning -- that this doesn't work in production without this paid feature.
@dustin-rcg If you create an Okta developer account, you'll get this feature by default, for free.
@mraible That's precisely my point, it's free in the developer account, but not in a production Okta account. So it's misleading.
We created a free Okta developer account to test. That is limited to 5 applications, and is not tied into our corporate Okta portal. Our paid corporate Okta portal is integrated with Active Directory and is the "production" Okta for us. When we developed on the developer portal using the Okta JWT Verifier it worked. Then we tried to move to production, using the built-in Org Authorization Server. The Okta JWT verifier does not work with the built-in Org Authorization Server, as stated earlier by @nbarbettini. We would need to purchase a Custom Authorization Server to work with the JWT Verifier, again stated by @nbarbettini. https://developer.okta.com/docs/concepts/auth-servers/
@dustin-rcg Out of curiosity, what type of application are you building? If you're able to share, is it used by internal employees, or customers?
FYI, I no longer work at Okta but I still use it for some projects. I can understand your frustration.
So let me get this straight. If I am using Okta for a corporate portal, I can't use @okta/jwt-verifier
?
I'm submitting this issue for the package(s):
I'm submitting a:
Current behavior
The README.md of Okta JWT Verifier for Node.js project states: "This library verifies Okta access tokens (issued by Okta authorization servers) by fetching the public keys from the JWKS endpoint of the authorization server."
As Okta JWT Verifier is using jwks-rsa to verify Okta Access Token, it requires to fetch key defined in "kid" header field from https://[okta-authorization-server]/oauth2/v1/keys.
For a Production Okta Authorization Server without "Custom Authorization Server with API Access Management", the key associated with "kid" is not published, the Okta JWT Verifier failed with "SigningKeyNotFoundError".
Please fix this bug or provide a solution as a regular production Okta Authorization Server does not have this extra PAID feature or component, if Okta JWT Verifier for Node.js is designed to ONLY work with Okta Custom Authorization Server with API Access Management, please fix the README.md and let developers know they need first check whether their production Okta Authorization Server has required features.
Expected behavior
Okta JWT Verifier for Node.js should work with all the production Okta Authorization Server to verify Okta Access Token.
Minimal reproduction of the problem with instructions
Using React Signin Widget to login and get an access token and using Okta JWTVerifier to verify this token against any Okta Authorization Server without "Custom Authorization Server" option.
Extra information about the use case/user story you are trying to implement
Environment
node -v
): v10.1.0