search

okta / okta-sdk-golang

A Golang SDK for interacting with the Okta management API, enabling server-side code to manage Okta users, groups, applications, and more.
https://github.com/okta/okta-sdk-golang
Other
171 stars 142 forks source link

'htu' claim in the DPoP proof JWT is invalid when using pagination #468

Closed demircis closed 1 week ago

demircis commented 3 weeks ago

Describe the bug?

When trying to get the next set of users, the response using the Next method on the response from the initial ListUsers execution gives back a 400 Bad Request status with the following message inside the "WWW-Authenticate" header:

"DPoP algs=\"RS256 RS384 RS512 ES256 ES384 ES512\", authorization_uri=\"http://dev-55958234.okta.com/oauth2/v1/authorize\", realm=\"http://dev-55958234.okta.com\", scope=\"okta.users.read.self\", error=\"invalid_dpop_proof\", error_description=\"'htu' claim in the DPoP proof JWT is invalid.\", resource=\"/api/v1/users\""

What is expected to happen?

The next batch of users should be retrieved and the correct DPoP proof JWT should be set in the SDK.

What is the actual behavior?

Call to Next gives back a 400 Bad Request response and the next users could not be retrieved.

Reproduction Steps?

client config:

okta.WithOrgUrl(https://orgDomain)),
okta.WithAuthorizationMode("PrivateKey"),
okta.WithClientId({clientID}),
okta.WithScopes([]string{"okta.users.read", "okta.groups.read"}),
okta.WithPrivateKey({privateKey}),

List users using the UsersAPI method, then use the response to check if there are more users with HasNextPage(), if true, use Next() on the response to get more users.

Additional Information?

I did some investigation and it seems like the DPoP htu claim is set to https://dev-55958234.okta.com/api/v1/users?after={someid}&limit=1 when doing Next, but according to the JWT spec, the htu claim should only contain the path and no query params (https://www.iana.org/assignments/jwt/jwt.xhtml), so maybe that is the issue?

Golang Version

go version go1.22.0 darwin/arm64

SDK Version

v4.1.2

OS version

No response

demircis commented 3 weeks ago

can confirm that the issue is fixed if the correct URI is used in the htu claim.

Issue occurs here: https://github.com/okta/okta-sdk-golang/blob/v4.1.2/okta/response.go#L133

NextPage() returns the full URI including query params, and that is passed as the path argument, while the queryParams argument is left as nil.

duytiennguyen-okta commented 3 weeks ago

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-742331