Need for clientId in OktaJwtVerifier

sathish · November 29, 2018, 7:48am

The latest commit for https://github.com/okta/okta-oidc-js/blob/master/packages/jwt-verifier needs a clientId to be passed into the OktaJwtVerifier object constructor

const OktaJwtVerifier = require(’@okta/jwt-verifier’);

const oktaJwtVerifier = new OktaJwtVerifier({
issuer: ‘https://{yourOktaDomain}/oauth2/default’,
clientId: ‘test’
})

What is the need for clientId for JwtVerification?

Looking into the source code in the master branch, I find that the clientId is mandatory

github.com

okta/okta-oidc-js/blob/master/packages/jwt-verifier/lib.js

/*!
 * Copyright (c) 2017-Present, Okta, Inc. and/or its affiliates. All rights reserved.
 * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
 *
 * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *
 * See the License for the specific language governing permissions and limitations under the License.
 */

const jwksClient = require('jwks-rsa');
const nJwt = require('njwt');

const {
  assertIssuer,
  assertClientId
} = require('@okta/configuration-validation');

This file has been truncated. show original

const jwksClient = require(‘jwks-rsa’);
const nJwt = require(‘njwt’);

const {
assertIssuer,
assertClientId
} = require(’@okta/configuration-validation’);

class OktaJwtVerifier {
constructor(options = {}) {
// Assert configuration
assertIssuer(options.issuer, options.testing);
assertClientId(options.clientId);

this.clientId = options.clientId;

After this, the clientId is not used anywhere in the code! If the intent was to validate that the same client that got the access token is trying to validate it, then the clientId should have been checked against the cid claim in the access token further down in the code, which is not being done.

The configuration validation script checks that the clientId is a string other than “{clientId}”

github.com

okta/okta-oidc-js/blob/master/packages/configuration-validation/src/lib.js

/*!
 * Copyright (c) 2018-Present, Okta, Inc. and/or its affiliates. All rights reserved.
 * The Okta software accompanied by this notice is provided pursuant to the Apache License, Version 2.0 (the "License.")
 *
 * You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0.
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 *
 * See the License for the specific language governing permissions and limitations under the License.
 */

class ConfigurationValidationError extends Error {}

const configUtil = module.exports;

const findDomainURL = 'https://bit.ly/finding-okta-domain';
const findAppCredentialsURL = 'https://bit.ly/finding-okta-app-credentials';

const copyCredentialsMessage = 'You can copy it from the Okta Developer Console ' +

This file has been truncated. show original

configUtil.assertClientId = (clientId) => {
if (!clientId) {
throw new ConfigurationValidationError('Your client ID is missing. ’ + copyCredentialsMessage);
} else if (clientId.match(/{clientId}/g)) {
throw new ConfigurationValidationError('Replace {clientId} with the client ID of your Application. ’ + copyCredentialsMessage);
}
};

Post		Replies	Views
Is clientId for an App confidential? Questions	2	5942	August 5, 2019
Getting authsdk Error: Client ID must be specified OAuth/OIDC	5	2603	February 13, 2024
Client_id check for Access Token OAuth/OIDC	1	2180	February 13, 2024
Private_key_jwt token OAuth/OIDC dotnet , api	1	4150	February 12, 2024
Error: Your client ID is missing OAuth/OIDC	6	9946	November 26, 2018

Need for clientId in OktaJwtVerifier

Related topics