Open lancerushing opened 1 year ago
Something like this is needed: (not tested)
JWT.decode(token,
nil,
true,
algorithm: 'RS256',
jwks: JSON.load(URI.open(JSON.load(URI.open(authorization_server_path) + "/.well-known/openid-configuration"))['jwks_uri'])),
verify_iss: true,
iss: authorization_server_path,
verify_aud: true,
aud: authorization_server_audience,
verify_sub: true,
verify_expiration: true,
verify_not_before: true,
verify_iat: true,
verify_jti: false,
leeway: 60
).first
This strategy uses a full auth code flow so an ID token is fetched by the app directly from Okta token endpoint in exchange to authorization code. Therefore I assume the fact that token comes from predefined URL through HTTPS protocol is sufficient for token verification.
UPD: My original comment was more about signature verification.
As for separate claims verification, indeed from version 2 of ruby-jwt gem behavior of a verify option has changed. If it is set to false, than verification is completely skipped, even if separate claim verification options are set to true.
Security bug(??)
The call to
JWT.decode()
https://github.com/omniauth/omniauth-okta/blob/b7d530aaa5d2af69100fe47cfdbd969688cda598/lib/omniauth/strategies/okta.rb#L97-L110 requirestrue
(verify = true
) to allow claim verification.The
verify_*
options do not do anything unlessverify = true
(line 99).see: https://github.com/jwt/ruby-jwt/blob/0ae9af6fd5f5085588a65accb2a23587c52ac637/lib/jwt/decode.rb#L26-L32