Verify JWT token server side, Error: "Unable to verify the JWS"

Questions OAuth/OIDC
1

Hello,

I’m building an application with Vue js as my frontend.
I’ve done a custom login witch works great, but i have an API that i would like to verify the identity of the user trying to access the backend api (build in PHP).

So i figured i can send the accessToken from my frontend to my backend via Auth headers and as Bearer token and then verify it via okta api.

But i only get the response of “Unable to verify the JWS”, i dosent say what type of error it is.

I followed more or less the guide from okta

2

If you’re using a PHP backend, take a look at the sample resource-server that validates the access token using our jwt-verifier library - https://github.com/okta/samples-php/tree/develop/resource-server

Source code for the jwt-verifier library - https://github.com/okta/okta-jwt-verifier-php

3

Thank you for your reply @vijet !

I’ve set up that part correctly, i get the Baerer token to the backend.

I have checked so the kid also match i the public keys for the auth /v1/keys
And i use the same Issuer in the frontend and backend but still get the error

"“Unable to verify the JWS”

 public function __construct()
{
    // Don't do anything for prefetch requests.
    if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
        return false;
    }

    // Make sure the authorization header is available, if not return 401.
    if (!isset($_SERVER['HTTP_AUTHORIZATION'])) {
        http_response_code(401);
        die();
    }

    $authType = null;
    $authData = null;

    // Extract the auth type and the data from the Authorization header.
    list($authType, $authData) = explode(" ", $_SERVER['HTTP_AUTHORIZATION'], 2);
    
    // If the Authorization Header is not a bearer token, return a 401.
    if ($authType != 'Bearer') {
       
        http_response_code(401);
        die();
    }
    

    try {
        // Setup the JWT Verifier.
        $jwtVerifier = (new \Okta\JwtVerifier\JwtVerifierBuilder())
            ->setIssuer(getenv('OKTA_ORG_URL') .'/oauth2/default/')
            ->setAudience('api://default')
            ->setClientId(getenv('OKTA_CLIENT_ID'))
            ->build();

        // Verify the JWT from the Authorization Header.
        $jwt = $jwtVerifier->verify($authData);

    } catch (\Exception $e) {
        // We encountered an error, return a 401.
    
        http_response_code(401);
        die($e->getMessage());
    }

    // Check to make sure the client id is valid.
    if ($jwt->getClaims()['cid'] != getenv('OKTA_CLIENT_ID')) {
        http_response_code(401);
        die();
    }
}
4

Hello! Are you able to tell me at what point in this constructor that the code is failing at? Are you making it into the catch provided?

5

I was facing the same issue using React for frontend and Java for the backend, debuging the code i came upto

“kid” values in the bearer token (you can parse the JWT token, various sites available )does not match with the one generated by the authorization server.

The solution was the default authorization server does not verify the “id_token” so just try configuring a custom authorization server and you should be good to go. All the best …

6

Hey! The problem was a missmatch on the data sent from the frontend part. So that why…

7

Thank you for your reply! I figured it out in the and you are right.

8

Hi @Imisay… I’m having the same issue. what was the missmatch on the data that you found?
it might help me out

thanks

9

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.