I am trying to verify a JWT token sent from a frontend app using the #okta/jwt-verifier package.I keep getting the below error
JwtParseError: Error while resolving signing key for kid "kp2hms0pqlMsflp34dc"
innerError: Error: unable to get local issuer certificate
The credentials I am using are similar to the below
OKTA_AUDIENCE = 'api://default'
OKTA_CLIENT_ID = '0psnmdjeuti34spl8'
OKTA_ISSUER = 'https://dev-04567220.okta.com/oauth2/default'
const OktaJwtVerifier = require('#okta/jwt-verifier');
const oktaJwtVerifier = new OktaJwtVerifier({
issuer: OKTA_ISSUER ,
clientId: OKTA_CLIENT_ID
});
oktaJwtVerifier.verifyAccessToken(token, OKTA_AUDIENCE )
.then(jwt => {
// the token is valid (per definition of 'valid' above)
console.log(jwt.claims);
})
.catch(err => {
// a validation failed, inspect the error
});
What exactly am I doing wrong ?
Here's the developer documentation on how to verify a token from Okta.
Some things to double-check
Your Audience, Client ID, and Issuer are correct and matches how the front-end gets the token
You are only verifying the token (so the Bearer text is removed)
The front-end is sending you the correct token, the Access token
Related
I was trying to acquire token from our Microsoft tenant. I have no knowledge about the Azure AD or whatsoever, because I only tasked to develop front end for our Microsoft Dynamics App in React. I only got some of the credential like tenant id, client id, client secret and resource.
I used MSAL Node library and function ConfidentialClientApplication() to acquire the token
But when I check it in the Ms. Edge's console log it throw an error
{"errorCode":"endpoints_resolution_error","errorMessage":"Error: could
not resolve endpoints. Please check network and try again. Detail:
ClientAuthError: openid_config_error: Could not retrieve endpoints.
Check your authority and verify the .well-known/openid-configuration
endpoint returns the required endpoints. Attempted to retrieve
endpoints from: verify
url","subError":"","name":"ClientAuthError","correlationId":""}
When I click the veryfy url (Cannot show you the url because it might contain sensitive information)
It shows all the metadata of the open id so I thought maybe it's normal.
But why is the error endpoints_resolution_error throwed when everything is normal?
Here is some snapshot of my code
const config = {
auth: {
clientId: clientID
authority: "https://login.microsoftonline.com/{tenantID}/",
clientSecret: clientSecret,
knownAuthorities: ["login.microsoftonline.com"],
protocolMode: "OIDC"
}
};
// Create msal application object
const cca = new msal.ConfidentialClientApplication(config);
// With client credentials flows permissions need to be granted in the portal by a tenant administrator.
// The scope is always in the format "<resource>/.default"
const clientCredentialRequest = {
scopes: ["resource/.default"], // replace with your resource
};
cca.acquireTokenByClientCredential(clientCredentialRequest).then((response) => {
console.log("Response: ", response);
}).catch((error) => {
console.log(JSON.stringify(error));
});
I've tried changing the authority and the protocol mode several times, but same result
Tried to login via microsoft provider but after providing my email in the popup I m getting following error:
error_description=The request is not valid for the application's 'userAudience' configuration. In order to use /common/ endpoint, the application must not be configured with 'Consumer' as the user audience. The userAudience should be configured with 'All' to use /common/ endpoint.
I m not sure where exactly I need to set it as consumer. Here is my code
const provider = new OAuthProvider("microsoft.com");
signInWithPopup(auth, provider)
.then((result) => {
console.log("doLogin then section");
// User is signed in.
// IdP data available in result.additionalUserInfo.profile.
// Get the OAuth access token and ID Token
const credential = OAuthProvider.credentialFromResult(result);
const accessToken = credential.accessToken;
const idToken = credential.idToken;
})
.catch((error) => {
console.log("doLogin", error);
});
it's common error
Create a new App Registration with supported account type as "All Microsoft account users" works with any errors.
Context
I'm following Google's RTDNs guide on enabling Real-Time Developer Notifications. I've successfully created the topic and subscription and have received the push notifications sent to the API that I have created. I would now like to authenticate and validate these messages. For that, I'm following this guide on Authentication and Authorization. Their developer documentation here and here has a seemingly useful example.
The Issue
After following the resources outlined above, I get the following error:
Error: No pem found for envelope: {"typ":"JWT","alg":"HS256"}
Relevant Code
const authClient = new OAuth2Client();
// ...
app.post('/pubsub/authenticated-push', jsonBodyParser, async (req, res) => {
// Verify that the push request originates from Cloud Pub/Sub.
try {
// Get the Cloud Pub/Sub-generated JWT in the "Authorization" header.
const bearer = req.header('Authorization');
const [, token] = bearer.match(/Bearer (.*)/);
// Verify and decode the JWT.
// Note: For high volume push requests, it would save some network
// overhead if you verify the tokens offline by decoding them using
// Google's Public Cert; caching already seen tokens works best when
// a large volume of messages have prompted a single push server to
// handle them, in which case they would all share the same token for
// a limited time window.
// verifyIdToken is failing here with the `No pem found for envelope` error
const ticket = await authClient.verifyIdToken({
idToken: token,
audience: 'example.com',
});
// ...
} catch (e) {
res.status(400).send('Invalid token');
return;
}
res.status(200).send();
});
The Questions
From this, I'm assuming I need to have some public key.
Where do I get said public key?
Where do I put said public key so that the google client is initialized with it?
How can I generate an example JWT to test my endpoint?
Edits
I was able to find the source of this error in their code here:
if (!Object.prototype.hasOwnProperty.call(certs, envelope.kid)) {
// If this is not present, then there's no reason to attempt verification
throw new Error('No pem found for envelope: ' + JSON.stringify(envelope));
}
However, I've verified that the kid attribute does indeed exist in the decoded object:
{"alg":"RS256","kid":"7d680d8c70d44e947133cbd499ebc1a61c3d5abc","typ":"JWT"}
Turns out the kid was invalid and therefore threw the No pem found for envelope error. Once a valid kid was supplied, the error no longer persisted.
I am using postman to mimic requests to firebase and firestore, i am using FBAuth middleware for protected routes like uploading images, posting a comment, so i need to make sure that the user is authenticated before posting an image or writing a comment, but i always get a message in postman that my id token has expired,
FBAuth middleware:
const FBAuth = (req, res, next) => {
let idToken;
if (req.headers.authorization && req.headers.authorization.startsWith('Bearer ')) {
idToken = req.headers.authorization.split('Bearer ')[1];
} else {
console.error('no token found');
return res.status(400).json({ error: 'unauthorized' })
}
admin.auth().verifyIdToken(idToken).then(decodedToken => {
req.user = decodedToken;
console.log(decodedToken);
return db.collection('users').where('userId', '==', req.user.uid)
.limit(1)
.get();
}).then(data => {
req.user.handle = data.docs[0].data().handle;
return next();
})
.catch(err => {
console.error(err);
return res.status(403).json(err)
})
}
Then use the middleware like this:
app.post('/user/image', FBAuth, uploadImage);`
In post man, i am using the token i get from sign in process to make the request, but i always get that message:
{
"code": "auth/id-token-expired",
"message": "Firebase ID token has expired. Get a fresh ID token from your client app and try again (auth/id-token-expired). See https://firebase.google.com/docs/auth/admin/verify-id-tokens for details on how to retrieve an ID token."
}
The error message is telling you that you have a problem on the frontend, not on the backend. Your frontend has simply delivered an expired token. It will need to keep refreshing the token every hour, since that's how long they last.
You haven't really said anything about your frontend at all, but it should be using an ID token listener to get fresh tokens delivered every hour. If the client is JavaScript, it would use onTokenIdChanged. If you're copying the token from your web or mobile client for use in postman, know that you will need to keep generating and copying a new tokens during development in order to stay fresh every hour.
My front end application is authenticated using gmail account.
I retrieve id_token after the authentication is successful and send it as Authorization Header as bearer token.
E.g.
http://localhost:4000/api
Authorization Bearer token_id
At nodejs server side, I call the following method to verify the token.
exports.verifyUser = function(req, res, next) {
var GoogleAuth = require('google-auth-library');
var auth = new GoogleAuth();
var client = new auth.OAuth2(config.passport.google.clientID, config.passport.google.clientSecret, config.passport.google.callbackURL);
// check header or url parameters or post parameters for token
var token = "";
var tokenHeader = req.headers["authorization"];
var items = tokenHeader.split(/[ ]+/);
if (items.length > 1 && items[0].trim().toLowerCase() == "bearer") {
token = items[1];
}
if (token) {
var verifyToken = new Promise(function(resolve, reject) {
client.verifyIdToken(
token,
config.passport.google.clientID,
function(e, login) {
console.log(e);
if (login) {
var payload = login.getPayload();
var googleId = payload['sub'];
resolve(googleId);
next();
} else {
reject("invalid token");
}
}
)
}).then(function(googleId) {
res.send(googleId);
}).catch(function(err) {
res.send(err);
})
} else {
res.send("Please pass token");
}
}
When I call the above method, I always get Invalid token response with following error.
Error: No pem found for envelope: {"alg":"RS256","kid":"c1ab5857066442ea01a01601
850770676460a712"}
at OAuth2Client.verifySignedJwtWithCerts (\node_modules\google-auth-libr
ary\lib\auth\oauth2client.js:518:13)
Is this the right approach to verify token?
Do I send the id_token as Authorization bearer? Or is it for authorization only?
How do I send the id_token to the sever side? Thru url, header?
What am I doing wrong?
Any help is highly appreciated.
OAuth2Client.verifyIdToken take an idToken in arguments, from the library source :
/**
* Verify id token is token by checking the certs and audience
* #param {string} idToken ID Token.
* #param {(string|Array.<string>)} audience The audience to verify against the ID Token
* #param {function=} callback Callback supplying GoogleLogin if successful
*/
OAuth2Client.prototype.verifyIdToken = function(idToken, audience, callback)
You have passed the whole header value bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImMxYWI1OD U3MDY2NDQyZWEwMWEwMTYwMTg1MDc3MDY3NjQ2MGE3MTIifQ so you will have to split the headers value as :
var authorization = req.headers["authorization"];
var items = authorization.split(/[ ]+/);
if (items.length > 1 && items[0].trim() == "Bearer") {
var token = items[1];
console.log(token);
// verify token
}
Is this the right approach to verify token ?
Yes, this is the right way to verify token. For debugging, you can also verify token with the tokeninfo endpoint if you have any doubt or for quick testing :
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
Do I send the id_token as Authorization bearer? Or is it for
authorization only?
How do I send the id_token to the sever side? Thru
url, header?
You can send JWT token in Authorization header but it could lead to usecase where you have multiple Authorization headers. It's best to URL encode or embed the token in the body. You can check Google example here
Moreover, the following are required by Google :
the token must be sent via HTTPS POST
the token integrity must be verified
To optimize your code, you could also move your Google auth object to your app.js at the root of your app instead of redefining it each time the token should be verified. In app.js :
var app = express();
var GoogleAuth = require('google-auth-library');
var auth = new GoogleAuth();
app.authClient = new auth.OAuth2(config.passport.google.clientID, config.passport.google.clientSecret, config.passport.google.callbackURL);
and in verifyUser call it from req.app.authClient :
req.app.authClient.verifyIdToken(...)
I finally found the answer today.
The Firebase tool will connect the native Google to the third-party login token, and then encapsulate another layer. The token obtained at this time is no longer the original token given to us by Google.
A1:
Original Token: GoogleDesignInAccount Account = Task.getResult(ApiException.class);
Account.getidToken () // This is the original token
B1:
Firebase token: FireBaseUser currentUser = Mauth.getCurrentUser ();
String token = currentUser.getIdToken(false).getResult().getToken();
A2:
Google officially provides a method to verify the token
B2:
Firebase officially provides the authentication token method
We use code names for the four data points above. If you need to verify the validity of tokens in the background, they must correspond to each other, A1 to A2 and B1 to B2. If you use A2 to validate the B1, it will fail
First of all, do not use Id_Token for authorization. It is only for authentication. Use access token for authorization. Use link below to verify token.
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=${access_token}