Okta jwt verification (nodejs), Error while resolving signing key for kid

I’m trying to verify OKTA Access token in my nodejs application. I dropped in the access token so, you can check the issuer and I’ve compared the the issuer in token with the verifier constructor. They both seem to be same. Appreciate any help

My code:

const oktaJwtVerifier = new OktaJwtVerifier({
            issuer: `https://signin-test.syngenta.com/oauth2/ausqmgapztkTfvQg70h7`,
            clientId: process.env.OKTA_CLIENT_ID, //tried without passing the client id also
            assertClaims: {
              aud: "api://syngenta-test",
            },
          });

a validation failed, inspect the error
[JwtParseError: Error while resolving signing key for kid “OrR_mnz02b3f3S4xARPV0kWN9rT3wLshRBXUFdIBP6o”] {
userMessage: ‘Error while resolving signing key for kid “OrR_mnz02b3f3S4xARPV0kWN9rT3wLshRBXUFdIBP6o”’,
jwtString: ‘eyJraWQiOiJPclJfbW56MDJiM2YzUzR4QVJQVjBrV045clQzd0xzaFJCWFVGZElCUDZvIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULng4R093dFVpOExBVEtlWWtsd2ZBU2QtZDl6aERycGZ2cWlZRHN1Y1FVZTQiLCJpc3MiOiJodHRwczovL3NpZ25pbi10ZXN0LnN5bmdlbnRhLmNvbS9vYXV0aDIvYXVzcW1nYXB6dGtUZnZRZzcwaDciLCJhdWQiOiJhcGk6Ly9zeW5nZW50YS10ZXN0IiwiaWF0IjoxNTk0NTc4MjE4LCJleHAiOjE1OTQ1ODE4MTgsImNpZCI6IjBvYXNqMTNhNDhEMDJYeGJUMGg3IiwidWlkIjoiMDB1c2o0bHByaXRucjBCcHEwaDciLCJzY3AiOlsiZW1haWwiLCJvcGVuaWQiLCJwcm9maWxlIl0sInN1YiI6ImdhZGV2QHN5bmdlbnRhLmNvbSJ9.fYU2RFj3CTSX-MVblXkFvCco72AOvyfDBc6njoTnA7kmMsuspO3mFf3n1vNobOi22VCQwjXULdk4Dnsf-VJXunmXT2ps0TjCd6wEAtvFVWxoS-jHpk2SYbU2WxeqGvIviG-fkqavPzsxiqSu_kcgv3OPXHB1T-jprCXM4GQWPLwFUWZbuvZSwTIk_TEUMjtUf5C-GEGExw7pbPVspkAJlrCVD0oQb5-AvUiqPeKsPx8FlXB7piUDAiI7E_lBsfLYe8PxM3PJXnd8SDewpZazma2MjYTcGSH92XjDAArDajpJQdofDHwclOWcMz9A6-pguS2ELB2yOpJpOQkMI9JanQ’,
parsedHeader: JwtHeader {
typ: ‘JWT’,
alg: ‘RS256’,
kid: ‘OrR_mnz02b3f3S4xARPV0kWN9rT3wLshRBXUFdIBP6o’
},
parsedBody: JwtBody {
ver: 1,
jti: ‘AT.x8GOwtUi8LATKeYklwfASd-d9zhDrpfvqiYDsucQUe4’,
iss: ‘https://signin-test.syngenta.com/oauth2/ausqmgapztkTfvQg70h7’,
aud: ‘api://syngenta-test’,
iat: 1594578218,
exp: 1594581818,
cid: ‘0oasj13a48D02XxbT0h7’,
uid: ‘00usj4lpritnr0Bpq0h7’,
scp: [ ‘email’, ‘openid’, ‘profile’ ],
sub: ‘gadev@syngenta.com’
},
innerError: Error: unable to verify the first certificate
at TLSSocket.onConnectSecure (_tls_wrap.js:1501:34)
at TLSSocket.emit (events.js:315:20)
at TLSSocket._finishInit (_tls_wrap.js:936:8)
at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:710:12) {
code: ‘UNABLE_TO_VERIFY_LEAF_SIGNATURE’
}
}
(node:74211) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). To terminate the node process on unhandled promise rejection, use the CLI flag --unhandled-rejections=strict (see Command-line API | Node.js v18.0.0 Documentation). (rejection id: 1)

After a lot of debugging and reading through your package code, I found what my issue was. I went to node modules and added strictSsl: false.

image1086×378 49.9 KB

Is there a better way to handle this issue, I do not want to fork the package or copy the code directly to my source and it will be my last option.

Appreciate any help…

hello just wanted to give an info please check the nodejs version, i was able to get it fixed by updating node 4.4 to node 11.15 on my Linux machine of REHL6.

Hi, I’m using node 12.x lts

Does anyone from OKTA team got a chance to look into this?

Was there a response to this from Okta? I am having the exact same issue and am able to resolve it in the same way as vejandla, but this isn’t a good fix.

With help from Okta support, I was able to resolve this error. I had to add the optional TLS certificate chain in the custom URL domain section, where I originally added the TLS certificate and key.

Could you please provide some details/example what was added?

If you have configured a custom url domain with Okta (as was the case with the original poster and @gauvinen), then you need to provide Okta the certificate chain when configuring your custom domain. This will prevent PKIX/TLS handshake errors from occuring when your server attempts to call the /keys endpoint on your custom (Okta) domain.

The unhandledRejection event is emitted whenever a promise rejection is not handled. “Rejection” is the canonical term for a promise reporting an error. As defined in ES6, a promise is a state machine representation of an asynchronous operation and can be in one of 3 states: “pending”, “fulfilled”, or “rejected”. Somebody decided that JavaScript programmers couldn’t be trusted with managing promise rejections properly and changed the HTML spec to require browsers to throw “unhandled promise rejection” errors if a rejected promise has no rejection handlers added before code returns to the event loop. The error usually happens in async await functions, and there’s an easy fix.

const functionName = async (arguments) => {
  try {
  // Your code here
  } catch (error) {
  // Handle rejection here
  }
};

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.