Token claims are not verified

[lancerushing]

Security bug(??)

The call to JWT.decode() https://github.com/omniauth/omniauth-okta/blob/b7d530aaa5d2af69100fe47cfdbd969688cda598/lib/omniauth/strategies/okta.rb#L97-L110 requires true (verify = true) to allow claim verification.

The verify_* options do not do anything unless verify = true (line 99).

see: https://github.com/jwt/ruby-jwt/blob/0ae9af6fd5f5085588a65accb2a23587c52ac637/lib/jwt/decode.rb#L26-L32

[lancerushing]

Something like this is needed: (not tested)

      JWT.decode(token,
                 nil,
                 true,
                 algorithm: 'RS256',
                 jwks: JSON.load(URI.open(JSON.load(URI.open(authorization_server_path) + "/.well-known/openid-configuration"))['jwks_uri'])),
                 verify_iss:        true,
                 iss:               authorization_server_path,
                 verify_aud:        true,
                 aud:               authorization_server_audience,
                 verify_sub:        true,
                 verify_expiration: true,
                 verify_not_before: true,
                 verify_iat:        true,
                 verify_jti:        false,
                 leeway:            60
      ).first

[okriuchykhin]

This strategy uses a full auth code flow so an ID token is fetched by the app directly from Okta token endpoint in exchange to authorization code. Therefore I assume the fact that token comes from predefined URL through HTTPS protocol is sufficient for token verification.

UPD: My original comment was more about signature verification.

As for separate claims verification, indeed from version 2 of ruby-jwt gem behavior of a verify option has changed. If it is set to false, than verification is completely skipped, even if separate claim verification options are set to true.