okta / okta-jwt-verifier-js Goto Github PK

Describe the bug?

Code location:

jwks-rsa does not support requestAgentOptions any more according to their changelog and instead allows for passing requestAgent itself.

Example:

// OLD
const oldClient = jwksClient({
  jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json',
  requestAgentOptions: {
    ca: fs.readFileSync(caFile)
  }
});

// NEW
const newClient = jwksClient({
  jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json',
  requestAgent: new https.Agent({
    ca: fs.readFileSync(caFile)
  })
});

Here's the reference: https://github.com/auth0/node-jwks-rsa/blob/b4be3390906b886529059316b987baf2aaddd521/CHANGELOG.md#migration-guide-from-v1-to-v2

What is expected to happen?

It should remove the deprecated option requestAgentOptions and add a new requestAgent option to allow users to configure http agent.

What is the actual behavior?

It still contains requestAgentOptions which is not supported by jwks-rsa.

Reproduction Steps?

Unable to set proxy

SDK Versions

@okta/jwt-verifier

Execution Environment

Node 16+

Additional Information?

I will send PR to allow users to pass requestAgent option.

I'm submitting this issue for the package(s):

• jwt-verifier
• oidc-middleware

I'm submitting a:

• Bug report
• Feature request
• Other (Describe below)

Current behavior

The verifyIdToken function accepts an option called "jwksUri" that allows callers to override the uri used to fetch the jwks. This option is not found in the typescript type definitions.

Expected behavior

the "jwksUri" option is present in the typescript type definitions for verifyIdToken

Minimal reproduction of the problem with instructions

attempt to pass in a value for jwksUri in a TypeScript app. For example

const verifier = new OktaJwtVerifier({
        issuer: '...',
        clientId: '...',
        jwksUri: '...',
    });

The TS compiler will throw an error

Environment

• Package Version: 2.3.0
• Browser: n/a
• OS: n/a
• Node version (node -v): 14.18.1
• Other:

Describe the feature request?

Hello Team,

I am currently encountering an issue related to the JWKS endpoint and memory cache. When a pod restarts for any reason, the memory cache is lost, causing us to hit the JWKS endpoint. This is acceptable under normal circumstances, but becomes problematic when pods enter a restart loop, resulting in the memory cache being continuously cleared and the JWKS endpoint being repeatedly called.

This could potentially lead to issues or even a block. To mitigate this, we propose implementing an external cache to store keys, reducing our dependency on the memory cache.

The JWKS-RSA library already has this functionality, as demonstrated here

Additionally, we need access to the getKeys method in the same library to retrieve keys for storage in our external cache.

I hope this clarifies our situation and proposed solution. If it aligns with your understanding, I am prepared to submit a PR for this implementation.

Best Regards.

New or Affected Resource(s)

• add a new optional field getKeysInterceptor in VerifierOptions object
• expose method: getKeys available in JwksRsa.JwksClient

Provide a documentation link

https://github.com/auth0/node-jwks-rsa/blob/master/EXAMPLES.md#loading-keys-from-local-file-environment-variable-or-other-externals

Additional Information?

No response

Describe the bug?

Hello,

Multiple CVE have been reported on the jsonwebtoken package, all have been fixed in the latest release (more details here )

Unfortunately this project use a version of the jwks-rsa package that doesn't use the latest version of the jsonwebtoken package.

In version 3.0.0, jwks-rsa doesn't use jsonwebtoken as a dependencies anymore.

What is expected to happen?

Use the latest version of jwks-rsa (> 3)

What is the actual behavior?

Doesn't use the latest version of jwks-rsa (< 3)

Reproduction Steps?

Install the package

SDK Versions

2.6.0

Execution Environment

N/A

Additional Information?

No response

Describe the feature request?

Not exactly a feature request, but request to update the documentation.
In the documentation:

If the access token is valid it will be converted to a JSON object and returned to your code.

However there is no mention of the structure or properties of the returned JSON and what data it will hold.
It would be helpful for developers using this library to know what is being returned

New or Affected Resource(s)

Documentation (ReadMe)

Provide a documentation link

https://github.com/okta/okta-jwt-verifier-js/blob/master/README.md

Additional Information?

No response

Describe the bug

I upgraded to NodeJS 22.3.0 and I am receiving

/Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:241 jwt[methodName] = method.bind({ body: jwtBodyProxy }); ^ TypeError: Cannot assign to read only property 'setClaim' of object '[object Object]' at /Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:241:29 at Array.forEach (<anonymous>) at /Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:238:30 at /Users/username/Documents/repos/application/src/bff_api/node_modules/njwt/index.js:63:7 at process.processTicksAndRejections (node:internal/process/task_queues:77:11)

Source Code in my api:

const oktaJwtVerifier = new OktaJwtVerifier({ issuer: inputOktaIssuer })

`
verifyToken: async function verifyToken (req, res, next) {
const authHeader = req.headers.authorization // ['authorization']
const token = authHeader && authHeader.split(' ')[1]

if (!token) {
  return res.status(401).json({ message: 'No token provided' })
}

// Passing a string for expectedAud
await oktaJwtVerifier.verifyAccessToken(token, 'api://default')
  .then((jwt) => {
    next()
  })
  .catch((err) => {
    return res.status(403).json({ message: `Invalid token - ${err}` })
  })

}
`

Reproduction Steps?

I make an API call from my frontend app to my backend api, which verifies the Okta token. When using nodejs 18.x it worked fine, but now with this version it fails with the above error. I discovered this because my docker pull for base image must have upgraded to a new version of Node and it started failing.

SDK Versions

System:
OS: macOS 14.5
CPU: (16) x64 Intel(R) Core(TM) i7-10700K CPU @ 3.80GHz
Memory: 21.12 GB / 72.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.3.0 - ~/.nvm/versions/node/v22.3.0/bin/node
npm: 10.8.1 - ~/.nvm/versions/node/v22.3.0/bin/npm
Browsers:
Chrome: 125.0.6422.144
Safari: 17.5
npmPackages:
@okta/jwt-verifier: ^3.2.0 => 3.2.0

Additional Information

No response

Describe the bug?

https://www.npmjs.com/package/@okta/jwt-verifier package uses 1.12.3 version of https://www.npmjs.com/package/jwks-rsa/v/1.12.3 which uses Axios < 0.21.2 which is impacted by (GHSA-cph5-m8f7-6c5x).

Please could you upgrade https://www.npmjs.com/package/@okta/jwt-verifier to next version (2.0.0).

What is expected to happen?

Do not install Axios < 0.21.2 in my project because this package is impacted by security vulnerabilities (GHSA-cph5-m8f7-6c5x.)

What is the actual behavior?

install Axios < 0.21.2 in my project and is making a security impact on them (GHSA-cph5-m8f7-6c5x.)

Reproduction Steps?

npm install @okta/jwt-verifier

SDK Versions

"@okta/jwt-verifier": "^2.3.0",

Execution Environment

• Runtime: NodeJS v 16
• Framework: NestJS v ^8.0.0
• MacOs Monterey v 12.5

Additional Information?

No response

Describe the feature request?

Currently the verifier throws generic instances of Error when verifying tokens. The only way to act on these errors is by looking at the error messages, which can of course change and are generally difficult to work with. The worst offender is the claims verifier, which returns a single error with each claim "error" string concatenated together.

I would suggest instead extending the Error class with your own Error classes, as you are doing for ConfigurationValidationError, so that we can disambiguate between different types of errors. For cases where you want to throw multiple errors, such as for the claims verifier, extend AggregateError and have the errors be instances of InvalidClaimError (or whatever you want to call that error).

New or Affected Resource(s)

I don't know what a resource is in this context...

Provide a documentation link

No response

Additional Information?

No response

I'm submitting this issue for the package(s):

• jwt-verifier
• oidc-middleware

I'm submitting a:

• Bug report
• Feature request
• Other (Describe below)

Current behavior

After successfully calling oktaVerifier.verifyAccessToken to generate an object with the OktaJwtVerifier.Jwt interface calling isExpired on the jwt throws a TypeError.

jwt.isExpired() // throws TypeError: Cannot read property 'exp' of undefined

Expected behavior

jwt.isExpired() // should return a boolean

Minimal reproduction of the problem with instructions

On nJwt the JWT prototype expects there to be a body attribute on the object ref whereas on this repo it's being deleted ref.

Extra information about the use case/user story you are trying to implement

It'd be nice to be able to follow the interfaces described in lib.d.ts

Environment

• Package Version: 2.3.0
• OS: Ubuntu
• Node version (node -v): 12

Describe the feature request?

Would like this library to get more regular automatic updates to its dependencies. Currently its dependencies are far out of date.

yarn upgrade-interactive --latest
yarn upgrade-interactive v1.22.19
info Color legend :
 "<red>"    : Major Update backward-incompatible updates
 "<yellow>" : Minor Update backward-compatible features
 "<green>"  : Patch Update backward-compatible bug fixes
? Choose which packages to update. (Press <space> to select, <a> to toggle all, <i> to invert selection)
 devDependencies
   name                              range   from       to      url
❯◯ @typescript-eslint/eslint-plugin  latest  4.29.3  ❯  5.47.1  https://github.com/typescript-eslint/typescript-eslint#readme
 ◯ @typescript-eslint/parser         latest  4.29.3  ❯  5.47.1  https://github.com/typescript-eslint/typescript-eslint#readme
 ◯ chalk                             latest  4.1.2   ❯  5.2.0   https://github.com/chalk/chalk#readme
 ◯ cross-env                         latest  5.2.1   ❯  7.0.3   https://github.com/kentcdodds/cross-env#readme
 ◯ dotenv                            latest  10.0.0  ❯  16.0.3  https://github.com/motdotla/dotenv#readme
 ◯ eslint                            latest  7.32.0  ❯  8.31.0  https://eslint.org
 ◯ express                           latest  4.17.1  ❯  4.18.2  http://expressjs.com/
 ◯ globby                            latest  11.0.4  ❯  13.1.3  https://github.com/sindresorhus/globby#readme
 ◯ jest                              latest  27.5.1  ❯  29.3.1  https://jestjs.io/
 ◯ jest-junit                        latest  13.0.0  ❯  15.0.0  https://github.com/jest-community/jest-junit#readme
 ◯ nock                              latest  9.6.1   ❯  13.2.9  https://github.com/nock/nock#readme
 ◯ node-fetch                        latest  2.6.7   ❯  3.3.0   https://github.com/node-fetch/node-fetch
 ◯ timekeeper                        latest  1.0.0   ❯  2.2.0   http://github.com/vesln/timekeeper
 ◯ tsd                               latest  0.19.1  ❯  0.25.0  https://github.com/SamVerschueren/tsd#readme
 ◯ typescript                        latest  4.4.2   ❯  4.9.4   https://www.typescriptlang.org/

 resolutionDependencies
   name                              range   from       to      url
 ◯ axios                             latest  0.27.2  ❯  1.2.2   https://axios-http.com
 ◯ minimist                          latest  1.2.6   ❯  1.2.7   https://github.com/minimistjs/minimist
 ◯ qs                                latest  6.10.3  ❯  6.11.0  https://github.com/ljharb/qs

 dependencies
   name                              range   from       to      url
 ◯ jwks-rsa                          latest  1.12.3  ❯  3.0.0   https://github.com/auth0/node-jwks-rsa#readme

New or Affected Resource(s)

Dependencies

Provide a documentation link

No response

Additional Information?

No response

Describe the bug

Reproduction Steps?

We are trying to deploy in jenkins for nodejs application. and then synk has found a vulnerability with @okta/[email protected] > [email protected]
https://security.snyk.io/vuln/SNYK-JS-NJWT-6861582

SDK Versions

@okta/[email protected]

Additional Information

No response

Describe the feature request?

Typescript type definitions were made available when this library was in the oidc-js project but have since been "lost" when the code was moved to a separate repository.
okta/okta-oidc-js#979

I am requesting that type definitions be made available for this library.

New or Affected Resource(s)

??

Provide a documentation link

No response

Additional Information?

No response

Describe the bug

Hello.

I just did npm install of this module and now I am seeing the following error message.

utils.js:2 Uncaught Error: Cannot find module 'crypto'
    at webpackMissingModule (utils.js:2:1)
    at ./node_modules/jwks-rsa/src/utils.js (utils.js:2:1)
    at options.factory (react refresh:6:1)
    at __webpack_require__ (bootstrap:24:1)
    at fn (hot module replacement:62:1)
    at ./node_modules/jwks-rsa/src/JwksClient.js (JwksClient.js:2:1)
    at options.factory (react refresh:6:1)
    at __webpack_require__ (bootstrap:24:1)
    at fn (hot module replacement:62:1)
    at ./node_modules/jwks-rsa/src/index.js (index.js:1:1)

Reproduction Steps?

import OktaJwtVerifier from '@okta/jwt-verifier';

const oktaJwtVerifier = new OktaJwtVerifier({
     issuer: `${config.OKTA_URL}/oauth2/default`
})

oktaJwtVerifier.verifyAccessToken(token, expected_aud);

SDK Versions

System:
OS: Linux 5.15 Ubuntu 20.04.5 LTS (Focal Fossa)
CPU: (16) x64 Intel(R) Xeon(R) Platinum 8375C CPU @ 2.90GHz
Memory: 50.99 GB / 61.79 GB
Container: Yes
Shell: 5.0.17 - /bin/bash
Binaries:
Node: 19.3.0 - /usr/bin/node
npm: 9.2.0 - /usr/bin/npm
Browsers:
Chromium: 115.0.5790.170

Additional Information

No response

Describe the bug?

Using Okta JWT Verifier package in node.js with nest framework, we are getting error ("Error while resolving signing key for kid "cjCtmAl4jaByzZs5p****************zf6ZAU" ).

we are using const jwt = await oktaJwtVerifier.verifyAccessToken(token,ENV_VALUES.OKTA_CLIENTID); to get the email and claims.

What is expected to happen?

Expected OKTA claims and email after token verification.

What is the actual behavior?

Frontend (Angular):
We receive a token from the Okta using the following configuration syntax.

const okta_prod_config = { issuer: '[xxxxxxx.okta.com/](http://xxxxxxx.okta.com/)', clientId: '**********', redirectUri: window.location.origin + '/login/callback', scopes: ['openid', 'profile', 'email'], testing: { disableHttpsCheck: false } };

After the successful Okta authentication, we pass this token to our server through the API header I.e., Authorization: Token

Backend (NodeJs)
After receiving the token from the API header, we are verifying the token using jwt okta verifier by passing the clientid and the issuer.

const jwt = await oktaJwtVerifier.verifyAccessToken(token,ENV_VALUES.OKTA_CLIENTID);

We are tried pasting the token received from okta in jwt.io and verified the information with that of the information passed in the okta verifier. The information matches. but the code goes to the catch block and throws an error mentioned below in the screenshot

Reproduction Steps?

It happens everytime.

SDK Versions

• jwt-verifier package Version: 2.0.0

• OKTA SDK (Angular):
  "@okta/okta-angular": "^4.1.1",
  "@okta/okta-auth-js": "^5.11.0",

Execution Environment

• Node version (node -v): 13.9.1
• Browser: Chrome
• OS: Windows 10

Additional Information?

No response