I am newbie to the okta and trying get the authorizer , sorry if this is silly question,
I have the authorizer created on okta as
audience : api://default
issuer : https://myarc.oktapreview.com/oauth2/
Signing key rotaion : automatic
added sub and groups as claim and one scope variable.
I have created web application with client_credentials enabled and generating the token for this app passing in the client credentials assigned to this and using basic auth method.
then trying to pass in this token to my api gateway lambda authorizer which uses the okta authorizer created above using oauth2-bearer-jwt-handler’. provided additional details as below on how the server side specifying the urls.
-
Which tool/library are you using to validate the access token - using require(‘oauth2-bearer-jwt-handler’).JwtTokenHandler;
-
What is the issuer URL that you have set? It should be of the form - generating the token at the client as : https://myarc.oktapreview.com/oauth2//v1/token (using client_credentials and basic auth)
and at the server it is mentioned as https://myarc.oktapreview.com/oauth2/ as oauth validation -
Which /keys endpoint are you invoking? - 'https://myarc.oktapreview.com/oauth2/ /v1/keys`
-
audience is set api://default on both while generating the token and on authorizer lambda.
when I make request to this authorizer it is failing to execute theverifyRequest method on handler with the following error:
2020-02-26T18:06:22.644Z 66a9e7be-ae94-41ba-a1eb-eca52b3c1fce INFO ipa-node-lambda-api-authorizer Failed to validate bearer token { BearerTokenError: Unable to resolve key for token signature
at self._keyResolver.getSigningKey.then.catch.err (/var/task/node_modules/oauth2-bearer-jwt-handler/lib/jwt-token-handler.js:265:19)
at process._tickCallback (internal/process/next_tick.js:68:7)
realm: ‘api://default’,
errorCode: ‘invalid_token’,
name: ‘BearerTokenError’,
message: ‘Unable to resolve key for token signature’,
challenge:
‘Bearer realm=“api://default”, error=“invalid_token”, error_description=“Unable to resolve key for token signature”’,
statusCode: 401 }
Lambda authorizer code:
const JwtTokenHandler = require(‘oauth2-bearer-jwt-handler’).JwtTokenHandler;
const AuthPolicy = require(’./auth-policy’);
const fs = require(‘fs’);
const jwtTokenHandler = new JwtTokenHandler({
issuer: process.env.ISSUER,
audience: process.env.AUDIENCE,
jwks: process.env.URL
});
console.log(‘Loading function’);
exports.handler = function (event, context, callback) {
console.log(c+" Starts");
console.log(c+' Client token: ' + event.authorizationToken);
console.log(c+' Method ARN: ' + event.methodArn);
console.log("issuer :"+ process.env.ISSUER);
console.log("audience :"+ process.env.AUDIENCE);
console.log("jwks : "+ JSON.stringify(jwtTokenHandler.jwks));
// validate the incoming token
// and produce the principal user identifier associated with the token
jwtTokenHandler.verifyRequest({
headers: {
authorization: event.authorizationToken
}
}, function (err, claims) {
console.log('claims: ');
console.log(c+" "+claims);
if (err) {
console.log(c+' Failed to validate bearer token', err);
return callback("Unauthorized", null);
;
}
var principalId = Array.isArray(claims.sub) && claims.sub.length > 0 ? claims.sub[0] : JSON.stringify(claims.sub);
console.log(c+' request principal: ' + principalId);
// if the token is valid, a policy must be generated which will allow or deny access to the client
// build apiOptions for the AuthPolicy