Comments (5)
Anyone able to merge this PR? Or if not why hasn't it been merged? I'd like to get this code in.
from okta-auth-js.
Hey @Daniel-Houston - not sure I'm quite following why you'd need to pass this through the getWithRedirect
method, when the clientID
is already bound to the okta-auth-js
object.
Regarding token validation - best practice is to assert against a known set of claims (issuer
, aud
, etc.) that are configured ahead of time, so you wouldn't need to be dependent on a cookie.
Are you using the token.verify
method immediately after parsing tokens from the URL?
It might be helpful if you could give a little bit more information about your flow.
Thanks!
from okta-auth-js.
Hey @jmelberg-okta, thanks for the reply!
My flow is a little bit wonky, and I think that's what led me to find this problem. I have created a UI 'shell' that loads different single-page apps depending on your url path base. e.g. If I have app1 and app2, and my url is www.example.com, when I navigate to www.example.com, the shell loads and takes me to www.example.com/app1. Then, when I click a top-level menu button it routes me to www.example.com/app2 and loads a different SPA. I know this is a little weird given the notion of a 'Single-Page-App' but our website has some special needs.
That being said, I configured both app1 and app2 in Okta as separate applications, and instead of passing in the clientID in the AuthClient constructor, I'm passing in the clientID for my different apps in the getWithRedirect() method, in order to allow me to use one AuthClient for multiple client applications. When I do that, I get an error: 'The jwt, iss, and aud arguments are all required' which I traced to lib/oauthUtil.js#validateClaims line 106.
function validateClaims(sdk, claims, aud, iss, nonce) {
if (!claims || !iss || !aud) {
throw new AuthSdkError('The jwt, iss, and aud arguments are all required');
}
...
That clued me in to find that the clientID is being passed to that function from lib/token.js#verifyToken as the audience parameter.
oauthUtil.validateClaims(sdk, jwt.payload, token.clientId, token.issuer, nonce);
By following the chain up (verifyToken -> handleOAuthResponse -> parseFromUrl), I found that if the clientID isn't given as part of the AuthClient configuration, then it will be undefined when assigned in handleOAuthResponse,
function handleOAuthResponse(sdk, oauthParams, res, urls) {
urls = urls || {};
var tokenTypes = oauthParams.responseType;
var scopes = util.clone(oauthParams.scopes);
// ClientId is not in oauthParams (parsed from cookie) nor the sdk.options
var clientId = oauthParams.clientId || sdk.options.clientId;
eventually causing the error in validateClaims (referenced above). My solution for this was to include the clientID in the cookie to account for the case that it was passed in as a parameter to one of the get methods (getWithRedirect, etc).
If you don't like this approach, I would recommend changing your documentation to say that clientID is required as part of the client configuration here.
Does that make more sense?
from okta-auth-js.
Thanks @Daniel-Houston! That helps provide a bit more context in why you're seeing this issue. It seems like we're expecting oauthParams.clientId
to exist in the cookie (via this method).
I'll try and get to #103 this week or next!
from okta-auth-js.
Resolved with 2.0.0
.
from okta-auth-js.
Related Issues (20)
- Snyk High Vulnerability: SNYK-JS-INFLIGHT-6095116 through [email protected] HOT 2
- Validate claims does not follow OpenID spec for audience validation HOT 3
- Okta License appears in build 196 times HOT 3
- token.getWithRedirect not happening immediately HOT 3
- 'OktaAuthModule' does not appear to be an NgModule class. HOT 1
- TokenManager.emitAdded() called multiple times on tab duplication HOT 1
- Error when httpRequest deletes STATE_TOKEN_KEY_NAME from storage HOT 4
- Migrate type tests to TSTyche HOT 4
- Uncaught (in promise) TypeError: wellKnownResponse is undefined HOT 3
- "autoRenew" deprecation notice should link to new functionallity
- Cannot sign out when DSSO is enabled HOT 1
- field validation errors not showing up with associated fields
- getTokens() - Add check to see if tokens are expired (or will in 30s) and try to refresh if so HOT 1
- creating a new account sdk does not crete session HOT 3
- index.js:76 [okta-auth-sdk] WARN: a saved auth transaction exists in storage. This may indicate another auth flow is already in progress. HOT 1
- Package uses a deprecated feature that is being reported as an issue in my Application. HOT 1
- Separate token.getWithPopup from Enrollment when using Social HOT 1
- errorcode:login_required : The client specified not to prompt, but the user is not logged in HOT 3
- getOrRenewAccessToken method is missing in 7.7.0 release
- Okta magic link not working in different browser without OTP HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from okta-auth-js.