okta / okta-jwt-verifier-php Goto Github PK
View Code? Open in Web Editor NEWA helper library for working with JWT's for Okta
A helper library for working with JWT's for Okta
If I use JwtVerifierBuilder::setNonce to provide a notice, I get a warning:
Undefined index: nonce in vendor/okta/jwt-verifier/src/JwtVerifier.php on line 112
It looks like Okta doesn't actually pass the nonce through when using the code based authentication flow, since 'nonce' doesn't show up in JwtVerifier::getClaims()
Upon running composer require okta/jwt-verifier
i get this error. Any suggestions?
Using version ^0.2.1 for okta/jwt-verifier
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Installation request for okta/jwt-verifier ^0.2.1 -> satisfiable by okta/jwt-verifier[0.2.1].
- Conclusion: remove nesbot/carbon 2.23.1
- Conclusion: don't install nesbot/carbon 2.23.1
- okta/jwt-verifier 0.2.1 requires nesbot/carbon ^1.22 -> satisfiable by nesbot/carbon[1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.25.1, 1.25.3, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.26.5, 1.26.6, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.33.0, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.35.1, 1.36.0, 1.36.1, 1.36.2, 1.37.0, 1.37.1, 1.38.0, 1.38.1, 1.38.2, 1.38.3, 1.38.4, 1.39.0].
- Can only install one of: nesbot/carbon[1.26.3, 2.23.1].
- Can only install one of: nesbot/carbon[1.26.4, 2.23.1].
- Can only install one of: nesbot/carbon[1.26.5, 2.23.1].
- Can only install one of: nesbot/carbon[1.26.6, 2.23.1].
- Can only install one of: nesbot/carbon[1.27.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.28.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.29.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.29.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.29.2, 2.23.1].
- Can only install one of: nesbot/carbon[1.30.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.31.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.31.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.32.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.33.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.34.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.34.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.34.2, 2.23.1].
- Can only install one of: nesbot/carbon[1.34.3, 2.23.1].
- Can only install one of: nesbot/carbon[1.34.4, 2.23.1].
- Can only install one of: nesbot/carbon[1.35.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.35.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.36.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.36.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.36.2, 2.23.1].
- Can only install one of: nesbot/carbon[1.37.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.37.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.38.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.38.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.38.2, 2.23.1].
- Can only install one of: nesbot/carbon[1.38.3, 2.23.1].
- Can only install one of: nesbot/carbon[1.38.4, 2.23.1].
- Can only install one of: nesbot/carbon[1.39.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.22.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.22.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.23.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.24.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.24.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.24.2, 2.23.1].
- Can only install one of: nesbot/carbon[1.25.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.25.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.25.3, 2.23.1].
- Can only install one of: nesbot/carbon[1.26.0, 2.23.1].
- Can only install one of: nesbot/carbon[1.26.1, 2.23.1].
- Can only install one of: nesbot/carbon[1.26.2, 2.23.1].
- Installation request for nesbot/carbon (locked at 2.23.1) -> satisfiable by nesbot/carbon[2.23.1].
Installation failed, reverting ./composer.json to its original content.
Hi! I followed this article https://developer.okta.com/blog/2018/08/23/symfony-react-php-crud-app where he uses this plugin but I have an issue when I include the authentication fragment on my code:
/**
* @Route("/movies",methods="GET")
*/
public function index(MovieRepository $movieRepository)
{
if (! $this->isAuthorized()) {
return $this->respondUnauthorized();
}
$movies = $movieRepository->transformAll();
return $this->respond($movies);
}
I get this error when It setups the JWT verifier:
Exception has occurred.
Http\Discovery\Exception\PuliUnavailableException: Puli Factory is not available
BTW I'm using Symfony 4...
any ideas?
Hello,
When PHP 8.0 came out, we had to wait a long time for the simple composer.json
update in this package. PHP 8.1 has been out for more than a month. What is the planning for the update to 8.1?
Would it be a possibility to add ^8.0
to the composer.json
, so we don't have this problem with 8.2, 8.3, and 8.4 later on?
Thanks a lot,
Jelrik van Hal
If we use a supported JWT library (spomky-labs/jose and firebase/php-jwt) but those libraries are not installed with composer the program breaks silently.
It should throw an exception claiming something like "spomky-labs/jose library not found"
Everything was working fine with the developer console. Getting error when switch it to the production org account.
Started getting the error after switching to xxx.okta.com
from xxx.oktapreview.com
I tried to change issuer from 'https://xxx.oktapreview.com/oauth2/default' to 'https://xxx.okta.com'
Exception trance:
File: /vendor/okta/jwt-verifier/src/JwtVerifier.php
Line: 90
Error: Undefined property: stdClass::$jwks_uri
Running into issues verifying JWT in a Laravel app again. This time, we are trying to verify the token as issued from Okta in our Laravel web app. I've followed a couple of tutorials from Okta (https://developer.okta.com/blog/2019/01/15/crud-app-laravel-vue and https://developer.okta.com/blog/2019/09/05/laravel-authentication) to get started.
I can authenticate with Okta and sign in to the application. The challenge I'm having is when the user signs out of Okta, but not the Laravel application, they are obviously still authenticated in the Laravel application. This is problematic for our use cases and provides a less than ideal user experience.
I've posted some comments and questions in other places about this issue. See Socialite middleware to check if authenticated and my comments on the Laravel tutorial.
So, what I have done is created a middleware from the Laravel/Vue tutorial and applied it to one of my routes for testing. Theoretically this middleware will use the stored token from Okta and verify it to see if it is still valid in order to process the request:
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Support\Facades\Auth;
class AuthenticateWithOkta
{
/**
* Handle an incoming request.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle($request, Closure $next)
{
if ($this->isAuthorized($request)) {
return $next($request);
} else {
return response('Unauthorized.', 401);
}
}
public function isAuthorized($request)
{
if (!Auth::user()) {
return false;
}
$user = Auth::user();
if (!$user->token) {
return false;
}
$token = $user->token;
// Attempt authorization with the user token
try {
// Setup the JWT Verifier
$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt)
->setAudience('api://default')
->setClientId('0oa2twkr01nYOcz2O357')
->setIssuer('https://dev-635281.okta.com/oauth2/default')
->build();
// Verify the JWT for the authenticated user.
$jwt = $jwtVerifier->verify($token);
} catch (\Exception $e) {
// You encountered an error, return a 401.
dd($e->getMessage());
return false;
}
return true;
}
}
I had a similar issue verifying JWT with our API middleware a while back, and cannot remember what we did to resolve the issue. I do remember that we used jwt.io to compare the token's kid
to the keys provided by the authorization server (https://{orgUrl}/oauth2/v1/keys). For example:
vs
{
"keys": [
{
...
"kid": "A8RUZjhiMa51sc3gKrn1sR2TE1WpHIPYeEeoGUUTyHE",
...
},
{
...
"kid": "cKuHnq8ou7Y7FqBf_auODmBf9y_M6bj35EdbxBYzKik",
...
}
]
}
As you can see, the kid
do not match. Why this is I do not know. Any feedback is greatly appreciated!
References
#17
#33
https://developer.okta.com/blog/2020/01/15/protecting-a-php-api-with-oauth
Hi, after reviewing the latest master I came to a conclusion that this call is not a valid one (the 2nd argument is missing):
okta-jwt-verifier-php/src/JwtVerifier.php
Line 106 in 22a1c0a
Is verify()
now irrelevant?
Currently if you install the latest version of Carbon, you are unable to install this library:
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Installation request for okta/jwt-verifier ^0.2.1 -> satisfiable by okta/jwt-verifier[0.2.1].
- okta/jwt-verifier 0.2.1 requires nesbot/carbon ^1.22 -> satisfiable by nesbot/carbon[1.22.0, 1.22.1, 1.23.0, 1.24.0, 1.24.1, 1.24.2, 1.25.0, 1.26.0, 1.26.1, 1.26.2, 1.26.3, 1.26.4, 1.27.0, 1.28.0, 1.29.0, 1.29.1, 1.29.2, 1.30.0, 1.31.0, 1.31.1, 1.32.0, 1.33.0, 1.34.0, 1.34.1, 1.34.2, 1.34.3, 1.34.4, 1.35.0, 1.35.1, 1.36.0, 1.36.1] but these conflict with your requirements or minimum-stability.
Hi,
The new version of Firebase/php-jwt break okta-verify
It looks like that only RS256 is supported -
Would it be possible to support other algorithms as well - specifically PS256?
Hey guys,
I'm working on implementing a REST API secured by an Okta Authorization server. Although this package provides everything I need for development, I think I'll face some issues when it comes to production usage. My concerns are the following:
Adaptor
implementation. This is not only a duplication of concerns (both existing adaptor implementations need to implement the fetching of keys even though it is the same process), but it also make it impossible to implement a caching layer so the keys are not loaded from Okta each time a token needs to be verified: the verifier currently makes 2 calls to okta during each request, first to get the jwk url from the authorization server metadata and then to get the keys from that url.cid
claim, according to current implementation of JwtVerifier
it must always be verified. My only problem with that is the verifier only supports a single client ID , which means all the consumers of my API must obtain the token using the same Okta app.I'm wondering if I'm exaggerating these problems due to my limited experience with Okta and Oauth, or they are valid concerns?
I am happy to contribute to this package if that the following improvements should be made:
KeyRepository
into JwtVerifier
that is responsible for fetching (and caching) JWKs, instead of using Adaptor::getKeys()
method.JwtVerifier
so it verifies tokens issued for any of the allowed clients.We should be able to auto-discover supported JWT libraries so the user does not have to include it in the setup
Hi, I am using the SpomkyLabsJose for the token verification and the connection parameters are exactly the same provided by the client. But it is showing
Invalid URL.
200
We are using OIDC for the SSO.
Is it an issue with the authorization server? My code is pasted below
<?php
$jwt = $_REQUEST['id_token'];
$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
->setDiscovery(new \Okta\JwtVerifier\Discovery\Oauth) // This is not needed if using oauth. The other option is OIDC
->setAdaptor(new \Okta\JwtVerifier\Adaptors\SpomkyLabsJose)
->setAudience('api://default')
->setClientId('{clientId}')
->setIssuer('https://{yourOktaDomain}.com/oauth2/default')
->build();
$jwt = $jwtVerifier->verify($jwt);
dump($jwt); //Returns instance of \Okta\JwtVerifier\JWT
dump($jwt->toJson()); // Returns Claims as JSON Object
dump($jwt->getClaims()); // Returns Claims as they come from the JWT Package used
dump($jwt->getIssuedAt()); // returns Carbon instance of issued at time
dump($jwt->getIssuedAt(false)); // returns timestamp of issued at time
dump($jwt->getExpirationTime()); //returns Carbon instance of Expiration Time
dump($jwt->getExpirationTime(false)); //returns timestamp of Expiration Time
I get the following message when attempting to follow the documentation.
Package spomky-labs/jose is abandoned, you should avoid using it. Use web-token/jwt-framework instead.
The examples should probably be updated to recommend the firebase library, web-token library, or some other library that is not abandoned.
I have followed the setup instructions and have a basic PHP backend to verify the JWT token issued from one of our mobile applications. Neither the SpomkyLabsJose provider or Firebase provider are working:
$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
->setDiscovery(new \Okta\JwtVerifier\Discovery\Oauth) // This is not needed if using oauth. The other option is OIDC
->setAdaptor(new \Okta\JwtVerifier\Adaptors\SpomkyLabsJose())
->setAudience('api://default')
->setClientId('{{CLIENT_ID}}')
->setIssuer('https://{{ORG__URL}}.com/oauth2/default')
->build();
$jwt = $jwtVerifier->verify($jwt);
dump($jwtVerifier);
is producing this error:
filter_var(): explicit use of FILTER_FLAG_SCHEME_REQUIRED and FILTER_FLAG_HOST_REQUIRED is deprecated
Switching to the Firebase adaptor produces:
"kid" invalid, unable to lookup correct key
which is mentioned in #17
It seems the SpomkyLabsJose adaptor is deprecated as mentioned in #27 and there is missing information for the other adaptor. What can I do to resolve this as I need to validate JWTs issued from the mobile client. Any help is appreciated! Thank you!
error message: Nonce does not match what is expected. Make sure to provide the nonce with setNonce()
from the JwtVerifierBuilder.
please help to fix this issue.
Access token validation is done by a resource server, and it likely will not know the client_id
of the client making the request ahead of time, such as when an API is used by an arbitrary number of OAuth clients in an organization. As such, it shouldn't be required to configure the library with a client_id
before validating a token.
The Okta .NET and Java SDKs also don't require setting a client_id
in order to use the JWT verifier library, so this should match those libraries as well.
Hi
When I try to run the following code:
$url = config('app.okta_base_url') . '/oauth2';
$jwtVerifier = (new JwtVerifier\JwtVerifierBuilder())
->setAdaptor(new JwtVerifier\Adaptors\FirebasePhpJwt)
->setAudience('api://default')
->setClientId(config('app.okta_client_id'))
->setIssuer($url)
->build();
$jwtVerifier->metaData
is null, and I have no idea why.
When I try to run like in the example with /default
:
$url = config('app.okta_base_url') . '/oauth2/default';
metaData is not null, but I get errorCode "E0000015" and errorSummary: "You do not have permission to access the feature you are requesting", I've been told that specifically in my case I don't need to use /default
, I'm not use it in any of my other API calls.
Any suggestions?
Thanks in advance!
Currently, the package relies on Carbon 1.22. Do you plan to integrate support for Carbon 2?
Hello,
After updating dependencies on a project I'm working on, I noticed the leeway is not working anymore, i.e. it always defaults to zero.
This is because the method Okta\JwtVerifier\Adaptors\FirebasePhpJwt::decode()
was updated in this commit 548c7d0 .
The following line was removed:
FirebaseJWT::$leeway = $this->leeway;
This looks like a bug to me. Can anyone confirm whether this is a bug or the line was removed intentionally ?
There are a few places where the validation feels too strict.
clientId
is arbitrary when checking a token in an API and should be allowed to be skipped.I am looking to validate a JWT issued by Okta for the Client Credentials flow. Please let me know if this should be asked instead in the Okta dev forums.
I am building an API that many other systems will call for machine to machine communication. Each system hits the same URL in the API. From what I understand with the Client Credentials flow, each system will have a separate application in Okta, so each will have its own client id.
When using okta-jwt-verifier-php, it seems that I have to pass a client id using setClientId(). If I don't, I get back an error "ClientId does not match what is expected".
I could be misunderstanding how Client Credentials works, but in this scenario, each JWT will have a different client id since each system will have its own application. Is that correct, and if so, is there a way that I can validate JWT's where the client id could be one of many possible valid client ids? I will be validating the client id in my own code after the JWT is verified.
Or does the Client Credentials flow work differently?
Thank you for your help.
I am new to this module. I followed the installation instructions, installed firebase and psr7 dependencies along with the okta/okta-jwt-verifier-php module. I am getting this error, I went through open issues and could not find one. Please let me know how I can fix this or if a workaround exists. Really appreciate any help.
{"xdebug_message":"<th align='left' bgcolor='#f57900' colspan="5">( ! )</span>
Http\Discovery\Exception\ClassInstantiationFailedException: Unexpected exception when instantiating class. in /root/code/app/vendor/php-http/discovery/src/ClassDiscovery.php on line 220</i>
</th></tr>\nCall Stack</th></tr>\n#</th>Time</th>Memory</th>Function</th>Location</th></tr>\n1</td>3.1931</td>362968</td>{main}( )</td>.../index.php:</b>0</td></tr>\n
PHP 7.4.8
In a brand new install of this library, I am getting the following error:
PHP Fatal error: Uncaught Http\Discovery\Exception\DiscoveryFailedException: Could not find resource using any discovery strategy. Find more information at http://docs.php-http.org/en/latest/discovery.html#common-errors
- Puli Factory is not available
- No valid candidate found using strategy "Http\Discovery\Strategy\CommonClassesStrategy". We tested the following candidates: .
- No valid candidate found using strategy "Http\Discovery\Strategy\CommonPsr17ClassesStrategy". We tested the following candidates: Phalcon\Http\Message\ResponseFactory, Nyholm\Psr7\Factory\Psr17Factory, Zend\Diactoros\ResponseFactory, GuzzleHttp\Psr7\HttpFactory, Http\Factory\Diactoros\ResponseFactory, Http\Factory\Guzzle\ResponseFactory, Http\Factory\Slim\ResponseFactory, Laminas\Diactoros\ResponseFactory, Slim\Psr7\Factory\ResponseFactory.
In an empty folder, I ran:
composer require okta/jwt-verifier firebase/php-jwt guzzlehttp/psr7
Then created a file test.php
containing:
<?php
require('vendor/autoload.php');
$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
->setIssuer('foo')
->setAudience('api://default')
->setClientId('foo')
->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt())
->build();
When running php test.php
I get the above error. I tried installing the mentioned libraries at the link in the error:
composer require php-http/curl-client guzzlehttp/psr7 php-http/message
but still get the same errors.
I am running PHP 7.4.16
Is there a reason this library is not compatible with the default authorization server?
It looks like the only difference is the "well known" address:
https://${yourOktaDomain}/.well-known/openid-configuration
vs
https://${yourOktaDomain}/oauth2/${authServerId}/.well-known/openid-configuration
Essentially, if not private it should use the domain
and not the issuer
to get the config and everything else should work, right? This seems easily doable by adding a setPublic
flag on the JwtVerifierBuilder, or parsing the issuer
for the authServerId
and if one isn't set fall back on the default.
I see in these tickets 19 and 50 that this has been brought up before and the solution was to throw an exception instead of supporting the default authorization server.
Why?
On validating okta jwt token with
$jwt = $jwtVerifier->verify($jwt);
It is terminating the further code execution if token is expired. Is it possible to handle it if token is expired and accordingly can execute some code (like redirect to login) ? Something like this I need after calling verify function:
$jwt = $jwtVerifier->verify($jwt);
if($jwt) {
----success code----
} else { //If token expires, I want this code to execute..
header("Location:login");
}
Hi,
I'am sure it's not an issue, but i wonder why the claim for the "Client ID" is "cid" in validateClientId method and not "client_id" like the JWT specification seems to describe ?
It would be nice to be abble to add the capacity in the JwtVerifierBuilder to define the claim name for ClientID (and of course adjust the validateClientId method
Source : https://www.iana.org/assignments/jwt/jwt.xhtml
Claim Name | Claim Description
client_id | Client Identifier
The usage docs for this library are pretty blank. It currently just shows a code snippet with no explanation of what's going on. It'd be cool to get a read guide that explains what JWTs are, what this library does in more detail, and how to work with JWTs using this library.
Currently these 3 classes make little sense, the abstract class defines property $wellKnownUri
and its getter is calls getWellKnown()
, and the subclasses override the property but add a new getter GetWellKnownUri()
Since the 2 implementations have the well-known hardcoded anyway, theres no need for variables. The abstract class can also be made concrete when we allow the $wellKnown
to be injected. This way we can use this class directly in our local and test environments by configuring it in the DI container.
While trying to require okta/jwt-verifier
, we get the following error:
Problem 1 - Installation request for okta/jwt-verifier ^0.4.0 -> satisfiable by okta/jwt-verifier[0.4.0]. - okta/jwt-verifier 0.4.0 requires php-http/httplug ^1.1 -> satisfiable by php-http/httplug[v1.1.0] but these conflict with your requirements or minimum-stability.
We are using php-http/httplug:^2.1.0 because of other dependencies.
The cache used in the FirebaseJwtAdapter is not compatible with symfony/cache because it uses a Carbon date for the cache item TTL but Symfony only accepts an integer or a DateInterval.
https://github.com/symfony/cache/blob/364fc90734230d936ac2db8e897cc03ec8497bbb/CacheItem.php#L90
public function expiresAfter($time): self
{
if (null === $time) {
$this->expiry = null;
} elseif ($time instanceof \DateInterval) {
$this->expiry = microtime(true) + \DateTime::createFromFormat('U', 0)->add($time)->format('U.u');
} elseif (\is_int($time)) {
$this->expiry = $time + microtime(true);
} else {
throw new InvalidArgumentException(sprintf('Expiration date must be an integer, a DateInterval or null, "%s" given.', get_debug_type($time)));
}
return $this;
}
So we get the following exception when setting the TTL:
{
class: "Symfony\\Component\\Cache\\Exception\\InvalidArgumentException"
detail: "Expiration date must be an integer, a DateInterval or null, \"Carbon\\Carbon\" given."
}
Pull Request : #106
I have the Angular sample login. Pass that id_token into PHP.
PHP has the required libraries, calls the autoload.php properly.
$jwtVerifier = ( new \Okta\JwtVerifier\JwtVerifierBuilder() )
->setAdaptor( new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt() )
->setClientId( '{myClientID}' )
->setAudience('api://default')
->setIssuer( 'https://myCompany.okta.com/oauth2/default' )
->build();
$token = $jwtVerifier->verifyIdToken($jwt);
Yields this:
UnexpectedValueException: "kid" invalid, unable to lookup correct key in /vendor/firebase/php-jwt/src/JWT.php:117
I've followed several different protocols, they look simple enough and I keep coming back to this.
Hi,
This client is great. Thanks for building it. The only part tripping me up is the nonce.
I'm using Okta ODIC. We're doing client side verification in a react app and I plan on passing the id_token to our API for validation and pass back a session token.
$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
->setDiscovery(new \Okta\JwtVerifier\Discovery\Oidc)
->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt)
->setAudience('{client_id}')
->setClientId('{client_id}')
->setIssuer('https://{custom}.okta.com')
->setNonce(null)
->build();
$jwt = $jwtVerifier->verify($okta_jwt);
This results in:
Nonce does not match what is expected. Make sure to provide the nonce with 'setNonce()' from the JwtVerifierBuilder.
The id_token already has a nonce and the verifier is trying to check that the nonce for the builder matches. If I don't include setNonce or pass in null to setNonce, I still get the same error. I'm I doing something wrong here? If I set the nonce manually to what I know it is in the token, everything appears to work fine.
My only other thought to get around this is to build my own Adaptor where after the decode I set the nonce to null. I may need to do this anyway since my Okta setup doesn't return a cid in the jwt; the client id comes back as in the aud field.
Any thoughts you have on this would be greatly appreciated.
When decoding the id_token
there is an aud
index in the payload but no cid
index is present.
Setting setClientId(null)
results in an exception saying it is required.
Is there perhaps an Okta config missing? The odd thing is that the aud
key in the payload matches the Okta ClientId, not api://default
.
Hi,
I have followed the instruction and installed required packages. My composer.json looks like below:
{
"require": {
"vlucas/phpdotenv": "^5.2",
"okta/jwt-verifier": "^1.0",
"firebase/php-jwt": "^5.2",
"guzzlehttp/psr7": "^1.7"
},
"autoload": {
"psr-4": {
"Src\\": "src/"
}
}
}
I added the following code to my index.php:
<?php
require_once("vendor/autoload.php");
...
// authenticate the request with Okta:
if (! authenticate()) {
header("HTTP/1.1 401 Unauthorized");
exit('Unauthorized');
}
function authenticate() {
try {
switch(true) {
case array_key_exists('HTTP_AUTHORIZATION', $_SERVER) :
$authHeader = $_SERVER['HTTP_AUTHORIZATION'];
break;
case array_key_exists('Authorization', $_SERVER) :
$authHeader = $_SERVER['Authorization'];
break;
default :
$authHeader = null;
break;
}
preg_match('/Bearer\s(\S+)/', $authHeader, $matches);
if(!isset($matches[1])) {
throw new \Exception('No Bearer Token');
}
$jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
->setAdaptor(new \Okta\JwtVerifier\Adaptors\FirebasePhpJwt)
->setAudience('api://default')
->setClientId($_ENV['OKTACLIENTID'])
->setIssuer($_ENV['OKTAISSUER'])
->build();
$result = $jwtVerifier->verify($matches[1]);
return $result;
} catch (\Exception $e) {
error_log($e);
return false;
}
}
?>
This generates the following error:
2020/10/13 15:58:40 [error] 82180#82180: *1994 FastCGI sent in stderr: "PHP message: Http\Discovery\Exception\DiscoveryFailedException: Could not find resource using any discovery strategy. Find more information at http://docs.php-http.org/en/latest/discovery.html#common-errors
- Puli Factory is not available
- No valid candidate found using strategy "Http\Discovery\Strategy\CommonClassesStrategy". We tested the following candidates: .
- No valid candidate found using strategy "Http\Discovery\Strategy\CommonPsr17ClassesStrategy". We tested the following candidates: Phalcon\Http\Message\ResponseFactory, Nyholm\Psr7\Factory\Psr17Factory, Zend\Diactoros\ResponseFactory, GuzzleHttp\Psr7\HttpFactory, Http\Factory\Diactoros\ResponseFactory, Http\Factory\Guzzle\ResponseFactory, Http\Factory\Slim\ResponseFactory, Laminas\Diactoros\ResponseFactory.
in /var/www/api/wg/vendor/php-http/discovery/src/Exception/DiscoveryFailedException.php:41
Stack trace:
#0 /var/www/api/wg/vendor/php-http/discovery/src/ClassDiscovery.php(79): Http\Discovery\Exception\DiscoveryFailedException:" while reading response header from upstream, client: <IP>, server: api.example.com, request: "GET /wg HTTP/1.1", upstream: "fastcgi://unix:/run/php-fpm/php-fpm.sock:", host: "api.example.com", referrer: "http://localhost:4200/"
Could someone please assist to solve this issue?
Thank you for your work on the okta-jwt-verifier-php.
I am trying to make sure that I am using this correctly:
https://github.com/okta/okta-jwt-verifier-php#validating-an-access-token
$jwt = $jwtVerifier->verifyAccessToken($jwtString);
• token expiration time
• the time it was issue at
• that the token issuer matches the expected value passed into the above helper
• that the token audience matches the expected value passed into the above helper
I don't see anywhere in the code that actually checks the token expiration time. Am I missing something?
I am also trying to understand where the signature verification occurs.
Thanks,
Aidan.
Hello,
I noticed that at each call of library, severall calls are made to get auth key.
1 wellknown to get jwks_uri
2 jwks URI to get keys.
Could you please check if we could put in cache these keys?
thanks
Does this JWT verifier with OKTA SAML2 Authentication as well.
Hello,
Is adding PHP8 support to this library on the roadmap? Lack of support is going to become a blocker on a number of our projects.
Any indication of when this can be expected would be much appreciated.
To help avoid misconfiguration, this library should implement these checks against common errors: https://oktawiki.atlassian.net/wiki/spaces/PM/pages/552049922/Library+configuration+checks
For this library, these checks apply:
Additionally, make sure these placeholders are always used in documentation or samples:
https://{yourOktaDomain}
(not {yourOktaDomain}.com
){clientId}
{clientSecret}
Hi!
Are there any PHP 5.6 ports of this library already? We need to add it into a legacy project which is not migrated to PHP 7 yet.
Hello,
I saw some hardcoded string in JwtVerifierBuilder.php file.
When authentification object is checked, it's comparing with a "dummy" entry :
if (strstr($issuer, "{yourOktaDomain}") != false) {
if (strstr($cid, "{clientId}") != false) {
is it something wanted? this check in totally irrelevant.
Thanks
I have the current setup with OKTA:
any clue what might be krong? KID means Key ID? Can't find this KID concept within OAuth
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.