okta / okta-jwt-verifier-php Goto Github PK

Does this JWT verifier with OKTA SAML2 Authentication as well.

Hi
When I try to run the following code:

$url = config('app.okta_base_url') . '/oauth2';
$jwtVerifier = (new JwtVerifier\JwtVerifierBuilder())
            ->setAdaptor(new JwtVerifier\Adaptors\FirebasePhpJwt)
            ->setAudience('api://default')
            ->setClientId(config('app.okta_client_id'))
            ->setIssuer($url)
            ->build();

$jwtVerifier->metaData is null, and I have no idea why.

When I try to run like in the example with /default:
$url = config('app.okta_base_url') . '/oauth2/default';

metaData is not null, but I get errorCode "E0000015" and errorSummary: "You do not have permission to access the feature you are requesting", I've been told that specifically in my case I don't need to use /default, I'm not use it in any of my other API calls.

Any suggestions?

Thanks in advance!

Currently, the package relies on Carbon 1.22. Do you plan to integrate support for Carbon 2?

Upon running composer require okta/jwt-verifier i get this error. Any suggestions?

Using version ^0.2.1 for okta/jwt-verifier
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for okta/jwt-verifier ^0.2.1 -> satisfiable by okta/jwt-verifier[0.2.1].
    - Conclusion: remove nesbot/carbon 2.23.1
    - Conclusion: don't install nesbot/carbon 2.23.1
    - okta/jwt-verifier 0.2.1 requires nesbot/carbon ^1.22 -> satisfiable by nesbot/carbon[1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.25.1, 1.25.3, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.26.6, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.33.0, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.35.1, 1.36.0, 1.36.1, 1.36.2, 1.37.0, 1.37.1, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.39.0].
    - Can only install one of: nesbot/carbon[1.26.3, 2.23.1].
    - Can only install one of: nesbot/carbon[1.26.4, 2.23.1].
    - Can only install one of: nesbot/carbon[1.26.5, 2.23.1].
    - Can only install one of: nesbot/carbon[1.26.6, 2.23.1].
    - Can only install one of: nesbot/carbon[1.27.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.28.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.29.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.29.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.29.2, 2.23.1].
    - Can only install one of: nesbot/carbon[1.30.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.31.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.31.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.32.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.33.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.34.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.34.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.34.2, 2.23.1].
    - Can only install one of: nesbot/carbon[1.34.3, 2.23.1].
    - Can only install one of: nesbot/carbon[1.34.4, 2.23.1].
    - Can only install one of: nesbot/carbon[1.35.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.35.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.36.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.36.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.36.2, 2.23.1].
    - Can only install one of: nesbot/carbon[1.37.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.37.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.38.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.38.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.38.2, 2.23.1].
    - Can only install one of: nesbot/carbon[1.38.3, 2.23.1].
    - Can only install one of: nesbot/carbon[1.38.4, 2.23.1].
    - Can only install one of: nesbot/carbon[1.39.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.22.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.22.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.23.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.24.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.24.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.24.2, 2.23.1].
    - Can only install one of: nesbot/carbon[1.25.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.25.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.25.3, 2.23.1].
    - Can only install one of: nesbot/carbon[1.26.0, 2.23.1].
    - Can only install one of: nesbot/carbon[1.26.1, 2.23.1].
    - Can only install one of: nesbot/carbon[1.26.2, 2.23.1].
    - Installation request for nesbot/carbon (locked at 2.23.1) -> satisfiable by nesbot/carbon[2.23.1].


Installation failed, reverting ./composer.json to its original content.

Currently these 3 classes make little sense, the abstract class defines property $wellKnownUri and its getter is calls getWellKnown(), and the subclasses override the property but add a new getter GetWellKnownUri()

Since the 2 implementations have the well-known hardcoded anyway, theres no need for variables. The abstract class can also be made concrete when we allow the $wellKnown to be injected. This way we can use this class directly in our local and test environments by configuring it in the DI container.

I am new to this module. I followed the installation instructions, installed firebase and psr7 dependencies along with the okta/okta-jwt-verifier-php module. I am getting this error, I went through open issues and could not find one. Please let me know how I can fix this or if a workaround exists. Really appreciate any help.

{"xdebug_message":"<th align='left' bgcolor='#f57900' colspan="5">( ! )</span>
Http\Discovery\Exception\ClassInstantiationFailedException: Unexpected exception when instantiating class. in /root/code/app/vendor/php-http/discovery/src/ClassDiscovery.php on line 220</i>
</th></tr>\nCall Stack</th></tr>\n#</th>Time</th>Memory</th>Function</th>Location</th></tr>\n1</td>3.1931</td>362968</td>{main}( )</td>.../index.php:</b>0</td></tr>\n

Hi,

I have followed the instruction and installed required packages. My composer.json looks like below:

{
    "require": {
        "vlucas/phpdotenv": "^5.2",
        "okta/jwt-verifier": "^1.0",
        "firebase/php-jwt": "^5.2",
        "guzzlehttp/psr7": "^1.7"
    },
    "autoload": {
        "psr-4": {
            "Src\\": "src/"
        }
    }
}

I added the following code to my index.php:

<?php
require_once("vendor/autoload.php");

...

// authenticate the request with Okta:
if (! authenticate()) {
   header("HTTP/1.1 401 Unauthorized");
   exit('Unauthorized');
}

function authenticate() {
  try {
    switch(true) {
      case array_key_exists('HTTP_AUTHORIZATION', $_SERVER) :
        $authHeader = $_SERVER['HTTP_AUTHORIZATION'];
        break;
      case array_key_exists('Authorization', $_SERVER) :
        $authHeader = $_SERVER['Authorization'];
        break;
      default :
        $authHeader = null;
        break;
    }
    preg_match('/Bearer\s(\S+)/', $authHeader, $matches);
    if(!isset($matches[1])) {
      throw new \Exception('No Bearer Token');
    }
		$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
    	->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt)
    	->setAudience('api://default')
    	->setClientId($_ENV['OKTACLIENTID'])
    	->setIssuer($_ENV['OKTAISSUER'])
    	->build();
    $result = $jwtVerifier->verify($matches[1]);
    return $result;
  } catch (\Exception $e) {
    error_log($e);
    return false;
  }
}
?>

This generates the following error:

2020/10/13 15:58:40 [error] 82180#82180: *1994 FastCGI sent in stderr: "PHP message: Http\Discovery\Exception\DiscoveryFailedException: Could not find resource using any discovery strategy. Find more information at http://docs.php-http.org/en/latest/discovery.html#common-errors
 - Puli Factory is not available
 - No valid candidate found using strategy "Http\Discovery\Strategy\CommonClassesStrategy". We tested the following candidates: .
 - No valid candidate found using strategy "Http\Discovery\Strategy\CommonPsr17ClassesStrategy". We tested the following candidates: Phalcon\Http\Message\ResponseFactory, Nyholm\Psr7\Factory\Psr17Factory, Zend\Diactoros\ResponseFactory, GuzzleHttp\Psr7\HttpFactory, Http\Factory\Diactoros\ResponseFactory, Http\Factory\Guzzle\ResponseFactory, Http\Factory\Slim\ResponseFactory, Laminas\Diactoros\ResponseFactory.

 in /var/www/api/wg/vendor/php-http/discovery/src/Exception/DiscoveryFailedException.php:41
Stack trace:
#0 /var/www/api/wg/vendor/php-http/discovery/src/ClassDiscovery.php(79): Http\Discovery\Exception\DiscoveryFailedException:" while reading response header from upstream, client: <IP>, server: api.example.com, request: "GET /wg HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/php-fpm.sock:", host: "api.example.com", referrer: "http://localhost:4200/"

Could someone please assist to solve this issue?

Hello,

When PHP 8.0 came out, we had to wait a long time for the simple composer.json update in this package. PHP 8.1 has been out for more than a month. What is the planning for the update to 8.1?

Would it be a possibility to add ^8.0 to the composer.json, so we don't have this problem with 8.2, 8.3, and 8.4 later on?

Thanks a lot,
Jelrik van Hal

Hello,

After updating dependencies on a project I'm working on, I noticed the leeway is not working anymore, i.e. it always defaults to zero.

This is because the method Okta\JwtVerifier\Adaptors\FirebasePhpJwt::decode() was updated in this commit 548c7d0 .

The following line was removed:
FirebaseJWT::$leeway = $this->leeway;

This looks like a bug to me. Can anyone confirm whether this is a bug or the line was removed intentionally ?

Hey guys,

I'm working on implementing a REST API secured by an Okta Authorization server. Although this package provides everything I need for development, I think I'll face some issues when it comes to production usage. My concerns are the following:

1. JWK usage: the package currently loads the JWKs via each Adaptor implementation. This is not only a duplication of concerns (both existing adaptor implementations need to implement the fetching of keys even though it is the same process), but it also make it impossible to implement a caching layer so the keys are not loaded from Okta each time a token needs to be verified: the verifier currently makes 2 calls to okta during each request, first to get the jwk url from the authorization server metadata and then to get the keys from that url.
2. Since Okta access tokens always contain cid claim, according to current implementation of JwtVerifier it must always be verified. My only problem with that is the verifier only supports a single client ID , which means all the consumers of my API must obtain the token using the same Okta app.

I'm wondering if I'm exaggerating these problems due to my limited experience with Okta and Oauth, or they are valid concerns?

I am happy to contribute to this package if that the following improvements should be made:

1. inject KeyRepository into JwtVerifier that is responsible for fetching (and caching) JWKs, instead of using Adaptor::getKeys() method.
2. support passing an array of client IDs to JwtVerifier so it verifies tokens issued for any of the allowed clients.

Hello,

I noticed that at each call of library, severall calls are made to get auth key.
1 wellknown to get jwks_uri
2 jwks URI to get keys.

Could you please check if we could put in cache these keys?

thanks

Hi!
Are there any PHP 5.6 ports of this library already? We need to add it into a legacy project which is not migrated to PHP 7 yet.

Is there a reason this library is not compatible with the default authorization server?

It looks like the only difference is the "well known" address:
https://${yourOktaDomain}/.well-known/openid-configuration
vs
https://${yourOktaDomain}/oauth2/${authServerId}/.well-known/openid-configuration

Essentially, if not private it should use the domain and not the issuer to get the config and everything else should work, right? This seems easily doable by adding a setPublic flag on the JwtVerifierBuilder, or parsing the issuer for the authServerId and if one isn't set fall back on the default.

I see in these tickets 19 and 50 that this has been brought up before and the solution was to throw an exception instead of supporting the default authorization server.

Why?

While trying to require okta/jwt-verifier, we get the following error:

Problem 1 - Installation request for okta/jwt-verifier ^0.4.0 -> satisfiable by okta/jwt-verifier[0.4.0]. - okta/jwt-verifier 0.4.0 requires php-http/httplug ^1.1 -> satisfiable by php-http/httplug[v1.1.0] but these conflict with your requirements or minimum-stability.

We are using php-http/httplug:^2.1.0 because of other dependencies.

Hi, after reviewing the latest master I came to a conclusion that this call is not a valid one (the 2nd argument is missing):

Is verify() now irrelevant?

Currently if you install the latest version of Carbon, you are unable to install this library:

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Installation request for okta/jwt-verifier ^0.2.1 -> satisfiable by okta/jwt-verifier[0.2.1].
    - okta/jwt-verifier 0.2.1 requires nesbot/carbon ^1.22 -> satisfiable by nesbot/carbon[1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.33.0, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.35.1, 1.36.0, 1.36.1] but these conflict with your requirements or minimum-stability.

Running into issues verifying JWT in a Laravel app again. This time, we are trying to verify the token as issued from Okta in our Laravel web app. I've followed a couple of tutorials from Okta (https://developer.okta.com/blog/2019/01/15/crud-app-laravel-vue and https://developer.okta.com/blog/2019/09/05/laravel-authentication) to get started.

I can authenticate with Okta and sign in to the application. The challenge I'm having is when the user signs out of Okta, but not the Laravel application, they are obviously still authenticated in the Laravel application. This is problematic for our use cases and provides a less than ideal user experience.

I've posted some comments and questions in other places about this issue. See Socialite middleware to check if authenticated and my comments on the Laravel tutorial.

So, what I have done is created a middleware from the Laravel/Vue tutorial and applied it to one of my routes for testing. Theoretically this middleware will use the stored token from Okta and verify it to see if it is still valid in order to process the request:

<?php

namespace App\Http\Middleware;

use Closure;
use Illuminate\Support\Facades\Auth;

class AuthenticateWithOkta
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        if ($this->isAuthorized($request)) {
            return $next($request);
        } else {
            return response('Unauthorized.', 401);
        }
    }

    public function isAuthorized($request)
    {
        if (!Auth::user()) {
            return false;
        }

        $user = Auth::user();
        
        if (!$user->token) {
            return false;
        }
        
        $token = $user->token;

        // Attempt authorization with the user token
        try {
            
            // Setup the JWT Verifier
            $jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
                            ->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt)
                            ->setAudience('api://default')
                            ->setClientId('0oa2twkr01nYOcz2O357')
                            ->setIssuer('https://dev-635281.okta.com/oauth2/default')
                            ->build();
                            
            // Verify the JWT for the authenticated user.
            $jwt = $jwtVerifier->verify($token);
            
        } catch (\Exception $e) {
            // You encountered an error, return a 401.
            dd($e->getMessage());
            return false;
        }

        return true;
    }
}

I had a similar issue verifying JWT with our API middleware a while back, and cannot remember what we did to resolve the issue. I do remember that we used jwt.io to compare the token's kid to the keys provided by the authorization server (https://{orgUrl}/oauth2/v1/keys). For example:

vs

{
"keys": [
{
...
"kid": "A8RUZjhiMa51sc3gKrn1sR2TE1WpHIPYeEeoGUUTyHE",
...
},
{
...
"kid": "cKuHnq8ou7Y7FqBf_auODmBf9y_M6bj35EdbxBYzKik",
...
}
]
}

As you can see, the kid do not match. Why this is I do not know. Any feedback is greatly appreciated!

References
#17
#33
https://developer.okta.com/blog/2020/01/15/protecting-a-php-api-with-oauth

In a brand new install of this library, I am getting the following error:

PHP Fatal error:  Uncaught Http\Discovery\Exception\DiscoveryFailedException: Could not find resource using any discovery strategy. Find more information at http://docs.php-http.org/en/latest/discovery.html#common-errors
 - Puli Factory is not available
 - No valid candidate found using strategy "Http\Discovery\Strategy\CommonClassesStrategy". We tested the following candidates: .
 - No valid candidate found using strategy "Http\Discovery\Strategy\CommonPsr17ClassesStrategy". We tested the following candidates: Phalcon\Http\Message\ResponseFactory, Nyholm\Psr7\Factory\Psr17Factory, Zend\Diactoros\ResponseFactory, GuzzleHttp\Psr7\HttpFactory, Http\Factory\Diactoros\ResponseFactory, Http\Factory\Guzzle\ResponseFactory, Http\Factory\Slim\ResponseFactory, Laminas\Diactoros\ResponseFactory, Slim\Psr7\Factory\ResponseFactory.

In an empty folder, I ran:

composer require okta/jwt-verifier firebase/php-jwt guzzlehttp/psr7

Then created a file test.php containing:

<?php
require('vendor/autoload.php');

$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
    ->setIssuer('foo')
    ->setAudience('api://default')
    ->setClientId('foo')
    ->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt())
    ->build();

When running php test.php I get the above error. I tried installing the mentioned libraries at the link in the error:

composer require php-http/curl-client guzzlehttp/psr7 php-http/message

but still get the same errors.

I am running PHP 7.4.16

Hi, I am using the SpomkyLabsJose for the token verification and the connection parameters are exactly the same provided by the client. But it is showing
Invalid URL.
200

We are using OIDC for the SSO.

Is it an issue with the authorization server? My code is pasted below

<?php
$jwt = $_REQUEST['id_token'];

$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
    ->setDiscovery(new \Okta\JwtVerifier\Discovery\Oauth) // This is not needed if using oauth.  The other option is OIDC
    ->setAdaptor(new \Okta\JwtVerifier\Adaptors\SpomkyLabsJose)
    ->setAudience('api://default')
    ->setClientId('{clientId}')
    ->setIssuer('https://{yourOktaDomain}.com/oauth2/default')
    ->build();

$jwt = $jwtVerifier->verify($jwt);

dump($jwt); //Returns instance of \Okta\JwtVerifier\JWT

dump($jwt->toJson()); // Returns Claims as JSON Object

dump($jwt->getClaims()); // Returns Claims as they come from the JWT Package used

dump($jwt->getIssuedAt()); // returns Carbon instance of issued at time
dump($jwt->getIssuedAt(false)); // returns timestamp of issued at time

dump($jwt->getExpirationTime()); //returns Carbon instance of Expiration Time
dump($jwt->getExpirationTime(false)); //returns timestamp of Expiration Time

If we use a supported JWT library (spomky-labs/jose and firebase/php-jwt) but those libraries are not installed with composer the program breaks silently.

It should throw an exception claiming something like "spomky-labs/jose library not found"

Access token validation is done by a resource server, and it likely will not know the client_id of the client making the request ahead of time, such as when an API is used by an arbitrary number of OAuth clients in an organization. As such, it shouldn't be required to configure the library with a client_id before validating a token.

The Okta .NET and Java SDKs also don't require setting a client_id in order to use the JWT verifier library, so this should match those libraries as well.

Hello,

Is adding PHP8 support to this library on the roadmap? Lack of support is going to become a blocker on a number of our projects.

Any indication of when this can be expected would be much appreciated.

Hello,

I saw some hardcoded string in JwtVerifierBuilder.php file.
When authentification object is checked, it's comparing with a "dummy" entry :

        if (strstr($issuer, "{yourOktaDomain}") != false) {

        if (strstr($cid, "{clientId}") != false) {

is it something wanted? this check in totally irrelevant.
Thanks

I have the current setup with OKTA:

• My own Android APP is registered as a native App
• I can use my APP to login using OpenID with OKTA. I can get some profile info etc...
• This APP will call an API deployed on the cloud that i want to protect using "API Management"
• I just registered a new Authorization server in OKTA and i'm using okta-jwt-verifier-php to try to check if the APP request to the API is ok
  okta-jwt-verifier-php is trowing an exception claiming "kid" empty, unable to lookup correct key

any clue what might be krong? KID means Key ID? Can't find this KID concept within OAuth

To help avoid misconfiguration, this library should implement these checks against common errors: https://oktawiki.atlassian.net/wiki/spaces/PM/pages/552049922/Library+configuration+checks

For this library, these checks apply:

• Issuer
• Client ID

Additionally, make sure these placeholders are always used in documentation or samples:

• https://{yourOktaDomain} (not {yourOktaDomain}.com)
• {clientId}
• {clientSecret}

The cache used in the FirebaseJwtAdapter is not compatible with symfony/cache because it uses a Carbon date for the cache item TTL but Symfony only accepts an integer or a DateInterval.

https://github.com/symfony/cache/blob/364fc90734230d936ac2db8e897cc03ec8497bbb/CacheItem.php#L90

    public function expiresAfter($time): self
    {
        if (null === $time) {
            $this->expiry = null;
        } elseif ($time instanceof \DateInterval) {
            $this->expiry = microtime(true) + \DateTime::createFromFormat('U', 0)->add($time)->format('U.u');
        } elseif (\is_int($time)) {
            $this->expiry = $time + microtime(true);
        } else {
            throw new InvalidArgumentException(sprintf('Expiration date must be an integer, a DateInterval or null, "%s" given.', get_debug_type($time)));
        }

        return $this;
    }

So we get the following exception when setting the TTL:

{
    class: "Symfony\\Component\\Cache\\Exception\\InvalidArgumentException"
    detail: "Expiration date must be an integer, a DateInterval or null, \"Carbon\\Carbon\" given."
}

Pull Request : #106

The usage docs for this library are pretty blank. It currently just shows a code snippet with no explanation of what's going on. It'd be cool to get a read guide that explains what JWTs are, what this library does in more detail, and how to work with JWTs using this library.

It looks like that only RS256 is supported -

Would it be possible to support other algorithms as well - specifically PS256?

If I use JwtVerifierBuilder::setNonce to provide a notice, I get a warning:

Undefined index: nonce in vendor/okta/jwt-verifier/src/JwtVerifier.php on line 112

It looks like Okta doesn't actually pass the nonce through when using the code based authentication flow, since 'nonce' doesn't show up in JwtVerifier::getClaims()

On validating okta jwt token with
$jwt = $jwtVerifier->verify($jwt);
It is terminating the further code execution if token is expired. Is it possible to handle it if token is expired and accordingly can execute some code (like redirect to login) ? Something like this I need after calling verify function:
$jwt = $jwtVerifier->verify($jwt);
if($jwt) {
----success code----
} else { //If token expires, I want this code to execute..
header("Location:login");
}

When decoding the id_token there is an aud index in the payload but no cid index is present.

Setting setClientId(null) results in an exception saying it is required.

Is there perhaps an Okta config missing? The odd thing is that the aud key in the payload matches the Okta ClientId, not api://default.

I get the following message when attempting to follow the documentation.

Package spomky-labs/jose is abandoned, you should avoid using it. Use web-token/jwt-framework instead.

The examples should probably be updated to recommend the firebase library, web-token library, or some other library that is not abandoned.

Hi,

I'am sure it's not an issue, but i wonder why the claim for the "Client ID" is "cid" in validateClientId method and not "client_id" like the JWT specification seems to describe ?

It would be nice to be abble to add the capacity in the JwtVerifierBuilder to define the claim name for ClientID (and of course adjust the validateClientId method

Source : https://www.iana.org/assignments/jwt/jwt.xhtml

Claim Name | Claim Description
client_id | Client Identifier

I have followed the setup instructions and have a basic PHP backend to verify the JWT token issued from one of our mobile applications. Neither the SpomkyLabsJose provider or Firebase provider are working:

$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
    ->setDiscovery(new \Okta\JwtVerifier\Discovery\Oauth) // This is not needed if using oauth.  The other option is OIDC
    ->setAdaptor(new \Okta\JwtVerifier\Adaptors\SpomkyLabsJose())
    ->setAudience('api://default')
    ->setClientId('{{CLIENT_ID}}')
    ->setIssuer('https://{{ORG__URL}}.com/oauth2/default')
    ->build();

$jwt = $jwtVerifier->verify($jwt);

dump($jwtVerifier);

is producing this error:

filter_var(): explicit use of FILTER_FLAG_SCHEME_REQUIRED and FILTER_FLAG_HOST_REQUIRED is deprecated

Switching to the Firebase adaptor produces:
"kid" invalid, unable to lookup correct key
which is mentioned in #17

It seems the SpomkyLabsJose adaptor is deprecated as mentioned in #27 and there is missing information for the other adaptor. What can I do to resolve this as I need to validate JWTs issued from the mobile client. Any help is appreciated! Thank you!

Hi! I followed this article https://developer.okta.com/blog/2018/08/23/symfony-react-php-crud-app where he uses this plugin but I have an issue when I include the authentication fragment on my code:

    /**
     * @Route("/movies",methods="GET")
     */
    public function index(MovieRepository $movieRepository)
    {
        if (! $this->isAuthorized()) {
            return $this->respondUnauthorized();
        }

        $movies = $movieRepository->transformAll();

        return $this->respond($movies);
    }

I get this error when It setups the JWT verifier:

Exception has occurred.
Http\Discovery\Exception\PuliUnavailableException: Puli Factory is not available

BTW I'm using Symfony 4...

any ideas?

Thank you for your work on the okta-jwt-verifier-php.

I am trying to make sure that I am using this correctly:
https://github.com/okta/okta-jwt-verifier-php#validating-an-access-token

$jwt = $jwtVerifier->verifyAccessToken($jwtString);
• token expiration time
• the time it was issue at
• that the token issuer matches the expected value passed into the above helper
• that the token audience matches the expected value passed into the above helper

I don't see anywhere in the code that actually checks the token expiration time. Am I missing something?

I am also trying to understand where the signature verification occurs.

Thanks,
Aidan.

I have the Angular sample login. Pass that id_token into PHP.
PHP has the required libraries, calls the autoload.php properly.

$jwtVerifier = ( new \Okta\JwtVerifier\JwtVerifierBuilder() )
->setAdaptor( new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt() )
->setClientId( '{myClientID}' )
->setAudience('api://default')
->setIssuer( 'https://myCompany.okta.com/oauth2/default' )
->build();

$token = $jwtVerifier->verifyIdToken($jwt);

Yields this:
UnexpectedValueException: "kid" invalid, unable to lookup correct key in /vendor/firebase/php-jwt/src/JWT.php:117

I've followed several different protocols, they look simple enough and I keep coming back to this.

Hi,

This client is great. Thanks for building it. The only part tripping me up is the nonce.

I'm using Okta ODIC. We're doing client side verification in a react app and I plan on passing the id_token to our API for validation and pass back a session token.

$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
  ->setDiscovery(new \Okta\JwtVerifier\Discovery\Oidc)
  ->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt)
  ->setAudience('{client_id}')
  ->setClientId('{client_id}')
  ->setIssuer('https://{custom}.okta.com')
  ->setNonce(null)
  ->build();

$jwt = $jwtVerifier->verify($okta_jwt);

This results in:
Nonce does not match what is expected. Make sure to provide the nonce with 'setNonce()' from the JwtVerifierBuilder.

The id_token already has a nonce and the verifier is trying to check that the nonce for the builder matches. If I don't include setNonce or pass in null to setNonce, I still get the same error. I'm I doing something wrong here? If I set the nonce manually to what I know it is in the token, everything appears to work fine.

My only other thought to get around this is to build my own Adaptor where after the decode I set the nonce to null. I may need to do this anyway since my Okta setup doesn't return a cid in the jwt; the client id comes back as in the aud field.

Any thoughts you have on this would be greatly appreciated.

There are a few places where the validation feels too strict.

1. Requiring an clientId is arbitrary when checking a token in an API and should be allowed to be skipped.

• https://github.com/okta/okta-jwt-verifier-php/blob/develop/src/JwtVerifierBuilder.php#L174-L181

2. Even when not setting an audience the check still fails due to the token having an audience. The engineer should be able to say they do not care about the audience. (this actually extends to all 3 checks)

• https://github.com/okta/okta-jwt-verifier-php/blob/develop/src/JwtVerifier.php#L132

I am looking to validate a JWT issued by Okta for the Client Credentials flow. Please let me know if this should be asked instead in the Okta dev forums.

I am building an API that many other systems will call for machine to machine communication. Each system hits the same URL in the API. From what I understand with the Client Credentials flow, each system will have a separate application in Okta, so each will have its own client id.

When using okta-jwt-verifier-php, it seems that I have to pass a client id using setClientId(). If I don't, I get back an error "ClientId does not match what is expected".

I could be misunderstanding how Client Credentials works, but in this scenario, each JWT will have a different client id since each system will have its own application. Is that correct, and if so, is there a way that I can validate JWT's where the client id could be one of many possible valid client ids? I will be validating the client id in my own code after the JWT is verified.

Or does the Client Credentials flow work differently?

Thank you for your help.

We should be able to auto-discover supported JWT libraries so the user does not have to include it in the setup

Hi,

The new version of Firebase/php-jwt break okta-verify

https://github.com/firebase/php-jwt/releases/tag/v6.0.0

Everything was working fine with the developer console. Getting error when switch it to the production org account.

Started getting the error after switching to xxx.okta.com from xxx.oktapreview.com

I tried to change issuer from 'https://xxx.oktapreview.com/oauth2/default' to 'https://xxx.okta.com'

Exception trance:

File: /vendor/okta/jwt-verifier/src/JwtVerifier.php
Line: 90
Error: Undefined property: stdClass::$jwks_uri

error message: Nonce does not match what is expected. Make sure to provide the nonce with setNonce() from the JwtVerifierBuilder.
please help to fix this issue.