okta / okta-jwt-verifier-js Goto Github PK
View Code? Open in Web Editor NEWokta-jwt-verifier-js
Home Page: https://github.com/okta/okta-jwt-verifier-js
License: Other
okta-jwt-verifier-js
Home Page: https://github.com/okta/okta-jwt-verifier-js
License: Other
Code location:
Lines 183 to 191 in 842952d
jwks-rsa
does not support requestAgentOptions
any more according to their changelog and instead allows for passing requestAgent
itself.
Example:
// OLD
const oldClient = jwksClient({
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json',
requestAgentOptions: {
ca: fs.readFileSync(caFile)
}
});
// NEW
const newClient = jwksClient({
jwksUri: 'https://sandrino.auth0.com/.well-known/jwks.json',
requestAgent: new https.Agent({
ca: fs.readFileSync(caFile)
})
});
Here's the reference: https://github.com/auth0/node-jwks-rsa/blob/b4be3390906b886529059316b987baf2aaddd521/CHANGELOG.md#migration-guide-from-v1-to-v2
It should remove the deprecated option requestAgentOptions
and add a new requestAgent
option to allow users to configure http agent.
It still contains requestAgentOptions
which is not supported by jwks-rsa.
Unable to set proxy
@okta/jwt-verifier
Node 16+
I will send PR to allow users to pass requestAgent
option.
The verifyIdToken
function accepts an option called "jwksUri" that allows callers to override the uri used to fetch the jwks. This option is not found in the typescript type definitions.
the "jwksUri" option is present in the typescript type definitions for verifyIdToken
attempt to pass in a value for jwksUri in a TypeScript app. For example
const verifier = new OktaJwtVerifier({
issuer: '...',
clientId: '...',
jwksUri: '...',
});
The TS compiler will throw an error
node -v
): 14.18.1Hello Team,
I am currently encountering an issue related to the JWKS endpoint and memory cache. When a pod restarts for any reason, the memory cache is lost, causing us to hit the JWKS endpoint. This is acceptable under normal circumstances, but becomes problematic when pods enter a restart loop, resulting in the memory cache being continuously cleared and the JWKS endpoint being repeatedly called.
This could potentially lead to issues or even a block. To mitigate this, we propose implementing an external cache to store keys, reducing our dependency on the memory cache.
The JWKS-RSA library already has this functionality, as demonstrated here
Additionally, we need access to the getKeys method in the same library to retrieve keys for storage in our external cache.
I hope this clarifies our situation and proposed solution. If it aligns with your understanding, I am prepared to submit a PR for this implementation.
Best Regards.
getKeysInterceptor
in VerifierOptions
objectgetKeys
available in JwksRsa.JwksClient
No response
Hello,
Multiple CVE have been reported on the jsonwebtoken package, all have been fixed in the latest release (more details here )
Unfortunately this project use a version of the jwks-rsa package that doesn't use the latest version of the jsonwebtoken package.
In version 3.0.0, jwks-rsa doesn't use jsonwebtoken as a dependencies anymore.
Use the latest version of jwks-rsa (> 3)
Doesn't use the latest version of jwks-rsa (< 3)
Install the package
2.6.0
N/A
No response
Not exactly a feature request, but request to update the documentation.
In the documentation:
If the access token is valid it will be converted to a JSON object and returned to your code.
However there is no mention of the structure or properties of the returned JSON and what data it will hold.
It would be helpful for developers using this library to know what is being returned
Documentation (ReadMe)
https://github.com/okta/okta-jwt-verifier-js/blob/master/README.md
No response
I upgraded to NodeJS 22.3.0 and I am receiving
/Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:241 jwt[methodName] = method.bind({ body: jwtBodyProxy }); ^ TypeError: Cannot assign to read only property 'setClaim' of object '[object Object]' at /Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:241:29 at Array.forEach (<anonymous>) at /Users/username/Documents/repos/application/src/bff_api/node_modules/@okta/jwt-verifier/lib.js:238:30 at /Users/username/Documents/repos/application/src/bff_api/node_modules/njwt/index.js:63:7 at process.processTicksAndRejections (node:internal/process/task_queues:77:11)
Source Code in my api:
const oktaJwtVerifier = new OktaJwtVerifier({ issuer: inputOktaIssuer })
`
verifyToken: async function verifyToken (req, res, next) {
const authHeader = req.headers.authorization // ['authorization']
const token = authHeader && authHeader.split(' ')[1]
if (!token) {
return res.status(401).json({ message: 'No token provided' })
}
// Passing a string for expectedAud
await oktaJwtVerifier.verifyAccessToken(token, 'api://default')
.then((jwt) => {
next()
})
.catch((err) => {
return res.status(403).json({ message: `Invalid token - ${err}` })
})
}
`
I make an API call from my frontend app to my backend api, which verifies the Okta token. When using nodejs 18.x it worked fine, but now with this version it fails with the above error. I discovered this because my docker pull for base image must have upgraded to a new version of Node and it started failing.
System:
OS: macOS 14.5
CPU: (16) x64 Intel(R) Core(TM) i7-10700K CPU @ 3.80GHz
Memory: 21.12 GB / 72.00 GB
Shell: 5.9 - /bin/zsh
Binaries:
Node: 22.3.0 - ~/.nvm/versions/node/v22.3.0/bin/node
npm: 10.8.1 - ~/.nvm/versions/node/v22.3.0/bin/npm
Browsers:
Chrome: 125.0.6422.144
Safari: 17.5
npmPackages:
@okta/jwt-verifier: ^3.2.0 => 3.2.0
No response
https://www.npmjs.com/package/@okta/jwt-verifier package uses 1.12.3 version of https://www.npmjs.com/package/jwks-rsa/v/1.12.3 which uses Axios < 0.21.2 which is impacted by (GHSA-cph5-m8f7-6c5x).
Please could you upgrade https://www.npmjs.com/package/@okta/jwt-verifier to next version (2.0.0).
Do not install Axios < 0.21.2 in my project because this package is impacted by security vulnerabilities (GHSA-cph5-m8f7-6c5x.)
install Axios < 0.21.2 in my project and is making a security impact on them (GHSA-cph5-m8f7-6c5x.)
npm install @okta/jwt-verifier
"@okta/jwt-verifier": "^2.3.0",
No response
Currently the verifier throws generic instances of Error
when verifying tokens. The only way to act on these errors is by looking at the error messages, which can of course change and are generally difficult to work with. The worst offender is the claims verifier, which returns a single error with each claim "error" string concatenated together.
I would suggest instead extending the Error class with your own Error classes, as you are doing for ConfigurationValidationError
, so that we can disambiguate between different types of errors. For cases where you want to throw multiple errors, such as for the claims verifier, extend AggregateError
and have the errors
be instances of InvalidClaimError
(or whatever you want to call that error).
I don't know what a resource is in this context...
No response
No response
After successfully calling oktaVerifier.verifyAccessToken
to generate an object with the OktaJwtVerifier.Jwt
interface calling isExpired
on the jwt throws a TypeError
.
jwt.isExpired() // throws TypeError: Cannot read property 'exp' of undefined
jwt.isExpired() // should return a boolean
On nJwt
the JWT
prototype expects there to be a body
attribute on the object ref whereas on this repo it's being deleted ref.
It'd be nice to be able to follow the interfaces described in lib.d.ts
node -v
): 12Would like this library to get more regular automatic updates to its dependencies. Currently its dependencies are far out of date.
yarn upgrade-interactive --latest
yarn upgrade-interactive v1.22.19
info Color legend :
"<red>" : Major Update backward-incompatible updates
"<yellow>" : Minor Update backward-compatible features
"<green>" : Patch Update backward-compatible bug fixes
? Choose which packages to update. (Press <space> to select, <a> to toggle all, <i> to invert selection)
devDependencies
name range from to url
❯◯ @typescript-eslint/eslint-plugin latest 4.29.3 ❯ 5.47.1 https://github.com/typescript-eslint/typescript-eslint#readme
◯ @typescript-eslint/parser latest 4.29.3 ❯ 5.47.1 https://github.com/typescript-eslint/typescript-eslint#readme
◯ chalk latest 4.1.2 ❯ 5.2.0 https://github.com/chalk/chalk#readme
◯ cross-env latest 5.2.1 ❯ 7.0.3 https://github.com/kentcdodds/cross-env#readme
◯ dotenv latest 10.0.0 ❯ 16.0.3 https://github.com/motdotla/dotenv#readme
◯ eslint latest 7.32.0 ❯ 8.31.0 https://eslint.org
◯ express latest 4.17.1 ❯ 4.18.2 http://expressjs.com/
◯ globby latest 11.0.4 ❯ 13.1.3 https://github.com/sindresorhus/globby#readme
◯ jest latest 27.5.1 ❯ 29.3.1 https://jestjs.io/
◯ jest-junit latest 13.0.0 ❯ 15.0.0 https://github.com/jest-community/jest-junit#readme
◯ nock latest 9.6.1 ❯ 13.2.9 https://github.com/nock/nock#readme
◯ node-fetch latest 2.6.7 ❯ 3.3.0 https://github.com/node-fetch/node-fetch
◯ timekeeper latest 1.0.0 ❯ 2.2.0 http://github.com/vesln/timekeeper
◯ tsd latest 0.19.1 ❯ 0.25.0 https://github.com/SamVerschueren/tsd#readme
◯ typescript latest 4.4.2 ❯ 4.9.4 https://www.typescriptlang.org/
resolutionDependencies
name range from to url
◯ axios latest 0.27.2 ❯ 1.2.2 https://axios-http.com
◯ minimist latest 1.2.6 ❯ 1.2.7 https://github.com/minimistjs/minimist
◯ qs latest 6.10.3 ❯ 6.11.0 https://github.com/ljharb/qs
dependencies
name range from to url
◯ jwks-rsa latest 1.12.3 ❯ 3.0.0 https://github.com/auth0/node-jwks-rsa#readme
Dependencies
No response
No response
We are trying to deploy in jenkins for nodejs application. and then synk has found a vulnerability with @okta/[email protected] > [email protected]
https://security.snyk.io/vuln/SNYK-JS-NJWT-6861582
@okta/[email protected]
No response
Typescript type definitions were made available when this library was in the oidc-js project but have since been "lost" when the code was moved to a separate repository.
okta/okta-oidc-js#979
I am requesting that type definitions be made available for this library.
??
No response
No response
Hello.
I just did npm install of this module and now I am seeing the following error message.
utils.js:2 Uncaught Error: Cannot find module 'crypto'
at webpackMissingModule (utils.js:2:1)
at ./node_modules/jwks-rsa/src/utils.js (utils.js:2:1)
at options.factory (react refresh:6:1)
at __webpack_require__ (bootstrap:24:1)
at fn (hot module replacement:62:1)
at ./node_modules/jwks-rsa/src/JwksClient.js (JwksClient.js:2:1)
at options.factory (react refresh:6:1)
at __webpack_require__ (bootstrap:24:1)
at fn (hot module replacement:62:1)
at ./node_modules/jwks-rsa/src/index.js (index.js:1:1)
import OktaJwtVerifier from '@okta/jwt-verifier';
const oktaJwtVerifier = new OktaJwtVerifier({
issuer: `${config.OKTA_URL}/oauth2/default`
})
oktaJwtVerifier.verifyAccessToken(token, expected_aud);
System:
OS: Linux 5.15 Ubuntu 20.04.5 LTS (Focal Fossa)
CPU: (16) x64 Intel(R) Xeon(R) Platinum 8375C CPU @ 2.90GHz
Memory: 50.99 GB / 61.79 GB
Container: Yes
Shell: 5.0.17 - /bin/bash
Binaries:
Node: 19.3.0 - /usr/bin/node
npm: 9.2.0 - /usr/bin/npm
Browsers:
Chromium: 115.0.5790.170
No response
Using Okta JWT Verifier package in node.js with nest framework, we are getting error ("Error while resolving signing key for kid "cjCtmAl4jaByzZs5p****************zf6ZAU" ).
we are using const jwt = await oktaJwtVerifier.verifyAccessToken(token,ENV_VALUES.OKTA_CLIENTID);
to get the email and claims.
Expected OKTA claims and email after token verification.
Frontend (Angular):
We receive a token from the Okta using the following configuration syntax.
const okta_prod_config = { issuer: '[xxxxxxx.okta.com/](http://xxxxxxx.okta.com/)', clientId: '**********', redirectUri: window.location.origin + '/login/callback', scopes: ['openid', 'profile', 'email'], testing: { disableHttpsCheck: false } };
After the successful Okta authentication, we pass this token to our server through the API header I.e., Authorization: Token
Backend (NodeJs)
After receiving the token from the API header, we are verifying the token using jwt okta verifier by passing the clientid and the issuer.
const jwt = await oktaJwtVerifier.verifyAccessToken(token,ENV_VALUES.OKTA_CLIENTID);
We are tried pasting the token received from okta in jwt.io and verified the information with that of the information passed in the okta verifier. The information matches. but the code goes to the catch block and throws an error mentioned below in the screenshot
It happens everytime.
jwt-verifier package Version: 2.0.0
OKTA SDK (Angular):
"@okta/okta-angular": "^4.1.1",
"@okta/okta-auth-js": "^5.11.0",
node -v
): 13.9.1No response
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.