Okta jwt verification (nodejs), Error while resolving signing key for kid

I’m trying to verify OKTA Access token in my nodejs application. I dropped in the access token so, you can check the issuer and I’ve compared the the issuer in token with the verifier constructor. They both seem to be same. Appreciate any help

My code:


const oktaJwtVerifier = new OktaJwtVerifier({
            issuer: `https://signin-test.syngenta.com/oauth2/ausqmgapztkTfvQg70h7`,
            clientId: process.env.OKTA_CLIENT_ID, //tried without passing the client id also
            assertClaims: {
              aud: "api://syngenta-test",
            },
          });

a validation failed, inspect the error
[JwtParseError: Error while resolving signing key for kid “OrR_mnz02b3f3S4xARPV0kWN9rT3wLshRBXUFdIBP6o”] {
userMessage: ‘Error while resolving signing key for kid “OrR_mnz02b3f3S4xARPV0kWN9rT3wLshRBXUFdIBP6o”’,
jwtString: ‘eyJraWQiOiJPclJfbW56MDJiM2YzUzR4QVJQVjBrV045clQzd0xzaFJCWFVGZElCUDZvIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULng4R093dFVpOExBVEtlWWtsd2ZBU2QtZDl6aERycGZ2cWlZRHN1Y1FVZTQiLCJpc3MiOiJodHRwczovL3NpZ25pbi10ZXN0LnN5bmdlbnRhLmNvbS9vYXV0aDIvYXVzcW1nYXB6dGtUZnZRZzcwaDciLCJhdWQiOiJhcGk6Ly9zeW5nZW50YS10ZXN0IiwiaWF0IjoxNTk0NTc4MjE4LCJleHAiOjE1OTQ1ODE4MTgsImNpZCI6IjBvYXNqMTNhNDhEMDJYeGJUMGg3IiwidWlkIjoiMDB1c2o0bHByaXRucjBCcHEwaDciLCJzY3AiOlsiZW1haWwiLCJvcGVuaWQiLCJwcm9maWxlIl0sInN1YiI6ImdhZGV2QHN5bmdlbnRhLmNvbSJ9.fYU2RFj3CTSX-MVblXkFvCco72AOvyfDBc6njoTnA7kmMsuspO3mFf3n1vNobOi22VCQwjXULdk4Dnsf-VJXunmXT2ps0TjCd6wEAtvFVWxoS-jHpk2SYbU2WxeqGvIviG-fkqavPzsxiqSu_kcgv3OPXHB1T-jprCXM4GQWPLwFUWZbuvZSwTIk_TEUMjtUf5C-GEGExw7pbPVspkAJlrCVD0oQb5-AvUiqPeKsPx8FlXB7piUDAiI7E_lBsfLYe8PxM3PJXnd8SDewpZazma2MjYTcGSH92XjDAArDajpJQdofDHwclOWcMz9A6-pguS2ELB2yOpJpOQkMI9JanQ’,
parsedHeader: JwtHeader {
typ: ‘JWT’,
alg: ‘RS256’,
kid: ‘OrR_mnz02b3f3S4xARPV0kWN9rT3wLshRBXUFdIBP6o’
},
parsedBody: JwtBody {
ver: 1,
jti: ‘AT.x8GOwtUi8LATKeYklwfASd-d9zhDrpfvqiYDsucQUe4’,
iss: ‘https://signin-test.syngenta.com/oauth2/ausqmgapztkTfvQg70h7’,
aud: ‘api://syngenta-test’,
iat: 1594578218,
exp: 1594581818,
cid: ‘0oasj13a48D02XxbT0h7’,
uid: ‘00usj4lpritnr0Bpq0h7’,
scp: [ ‘email’, ‘openid’, ‘profile’ ],
sub: ‘gadev@syngenta.com’
},
innerError: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:936:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) {
code: ‘UNABLE_TO_VERIFY_LEAF_SIGNATURE’
}
}
(node:74211) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see https://nodejs.org/api/cli.html#cli_unhandled_rejections_mode). (rejection id: 1)

After a lot of debugging and reading through your package code, I found what my issue was. I went to node modules and added strictSsl: false.

Is there a better way to handle this issue, I do not want to fork the package or copy the code directly to my source and it will be my last option.

Appreciate any help…

hello just wanted to give an info please check the nodejs version, i was able to get it fixed by updating node 4.4 to node 11.15 on my Linux machine of REHL6.

Hi, I’m using node 12.x lts

Does anyone from OKTA team got a chance to look into this?