Need for clientId in OktaJwtVerifier

The latest commit for https://github.com/okta/okta-oidc-js/blob/master/packages/jwt-verifier needs a clientId to be passed into the OktaJwtVerifier object constructor

const OktaJwtVerifier = require(’@okta/jwt-verifier’);

const oktaJwtVerifier = new OktaJwtVerifier({
issuer: ‘https://{yourOktaDomain}/oauth2/default’,
clientId: ‘test’
})

What is the need for clientId for JwtVerification?

Looking into the source code in the master branch, I find that the clientId is mandatory

const jwksClient = require(‘jwks-rsa’);
const nJwt = require(‘njwt’);

const {
assertIssuer,
assertClientId
} = require(’@okta/configuration-validation’);

class OktaJwtVerifier {
constructor(options = {}) {
// Assert configuration
assertIssuer(options.issuer, options.testing);
assertClientId(options.clientId);

this.clientId = options.clientId;

After this, the clientId is not used anywhere in the code! If the intent was to validate that the same client that got the access token is trying to validate it, then the clientId should have been checked against the cid claim in the access token further down in the code, which is not being done.

The configuration validation script checks that the clientId is a string other than “{clientId}”

configUtil.assertClientId = (clientId) => {
if (!clientId) {
throw new ConfigurationValidationError('Your client ID is missing. ’ + copyCredentialsMessage);
} else if (clientId.match(/{clientId}/g)) {
throw new ConfigurationValidationError('Replace {clientId} with the client ID of your Application. ’ + copyCredentialsMessage);
}
};

1 Like