AccessTokenVerifier can throw undocumented exceptions about okta-jwt-verifier-java HOT 10 OPEN

@ethanmills
The issuer is known in advance in advance when configuring the library, so the library already knows where to get the keys from.

What you are suggesting was a common vulnerability in JWT libraries early on. It would be like asking someone who handed you counterfeit money to validate it.
Similarly, this is why the jku claim should not be used:
https://www.rfc-editor.org/rfc/rfc7515#section-4.1.2
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bcp-07#section-3.10

The high level is a JWT library MUST be configured with the issuer (more specifically, the key information) before a JWT is parsed.
The JWT signature is validated (with existing the key information)
The body is parsed
The claims are validated

from okta-jwt-verifier-java.

Thanks for the reply @bdemers . I appreciate what you're getting at, but think that it doesn't quite cover the whole picture. Consider the case where a resource server trusts tokens issued by two different issuers. The flow then looks like

1. library is configured with set of trusted issuers
2. issuer is retrieved from token - rejected if not in set
3. keys retrieved from jwks url published in well-known configuration by trusted issuer
4. JWT signature validated
5. claims validated

That's the flow followed by e.g. https://docs.spring.io/spring-security/site/docs/current/api/org/springframework/security/oauth2/server/resource/authentication/JwtIssuerAuthenticationManagerResolver.html

from okta-jwt-verifier-java.

Happy to file a pull request for this by the way.

from okta-jwt-verifier-java.

Hey @Sovietaced!

When this happens can you grab the JWT you are trying to validate? That should help narrow down the problem

from okta-jwt-verifier-java.

When this happens can you grab the JWT you are trying to validate? That should help narrow down the problem

I can try to grab the JWT. We typically don't log it but I can change that.

from okta-jwt-verifier-java.

I was about to raise this an issue. @bdemers I noticed this today when the signing keys are rotated. How will this library know that the signing key is rotated and Use RemoteJwksSigningKeyResolver?

Can you please let jus know what is the cache duration and the frequency of requests to remote jwks uri?

Also, please confirm if the backend calls from UI can validate id token and access token using this library or should the backend just validate signature?

from okta-jwt-verifier-java.

There are a few questions in here, so I'll try to answer all of them, but there is a healthy dose of "it depends"

First, if possible your backend should handle authentication(e.g. redirect to login), then your frontend simply uses cookies to deal with the user's session. This isn't a one size fits all solution, but when possible, it's usually the best option. If your frontend handles authentication (which sounds like what you are doing), and ends up with an access token, you treat your REST API as an OAuth "Resource Server". Your frontend sets a header: Authentication: Bearer <access_token>, (NOT the id token) and your REST API can validate this token in one of two different ways:

1.) Remotely (per OAuth spec)
2.) locally (using a JWT)

NOTE: The fact that Okta's access tokens are JWTs is an implementation detail (a common one, as a lot of other vendors, do this as well).

This post is Spring specific, but it talks about this topic in a more general sense as well.

I bring this up because when using a JWT, there is always the possibility of stale tokens (from the above post):

The biggest downside to validating a token locally is that your token is, by definition, stale. It is a snapshot of the moment in time when your identity provider (IdP) created the token. The further away you get from that moment, the more likely that token is no longer valid: it could have been revoked, the user could have logged out, or the application that created the token disabled.

That said, back to the answers.
This lib uses a very simplistic cache, (a map in memory), keys are cached until another request is made to the "keys" endpoint. Requests are only made to the keys endpoint when unknown kid claims are found. There is some discussion about this in #30, so that might be the best place to continue this thread.

from okta-jwt-verifier-java.

@bdemers the headline here is still an issue (the method throws undocumented java.lang.IllegalArgumentException and com.okta.commons.http.HttpException). I'd also suggest checking the exp of the token before verifying the signature; we're seeing issues trying to fetch keys that have been rotated away for tokens older than 3 months. Either way, if the key isn't present or the token is expired, I'd expect this method to throw a documented exception.

from okta-jwt-verifier-java.

@ethanmills any content inside the JWT bod cannot be trusted until the signature is validated.

from okta-jwt-verifier-java.

Is there a concern about malicious content, or just false information? I think you have to decode the payload to get the issuer before you can fetch the keys anyway, so rejecting early (never accepting) based on an exp in the past seems safe?

from okta-jwt-verifier-java.